diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index a95ac0fbf..66e6a0f60 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -57,7 +57,7 @@ This rule monitors for when a Windows Event ID 4662 (Operation was performed on ## Setup -The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` @@ -68,7 +68,7 @@ Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > -Audit Directory Service Changes (Success,Failure) +Audit Directory Service Access (Success,Failure) ``` """ references = [ diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 547ae022d..20bf29c1e 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -57,7 +57,7 @@ This rule monitors for Event ID 4662 (Operation was performed on an Active Direc ## Setup -The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` @@ -68,7 +68,7 @@ Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > -Audit Directory Service Changes (Success,Failure) +Audit Directory Service Access (Success,Failure) ``` """ references = [ diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index b3859d46a..775a8278d 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -21,7 +21,7 @@ note = """## Setup ## Setup -The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` @@ -32,7 +32,7 @@ Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > -Audit Directory Service Changes (Success,Failure) +Audit Directory Service Access (Success,Failure) ``` """ references = [ diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml new file mode 100644 index 000000000..fb30a9900 --- /dev/null +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/08/15" +integration = ["system", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write +Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated +with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other +compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, +lateral movement, and persistence. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "WRITEDAC Access on Active Directory Object" +setup = """ +The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Access (Success,Failure) +``` +""" +references = [ + "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf" +] +risk_score = 21 +rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "query" +building_block_type = "default" + +query = ''' +event.action:"Directory Service Access" and event.code:"5136" and + winlog.event_data.AccessMask:"0x40000" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +reference = "https://attack.mitre.org/techniques/T1222/" +name = "File and Directory Permissions Modification" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +