[metadata] creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" updated_date = "2024/10/28" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." [rule] author = ["Elastic"] description = """ Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer. """ from = "now-9m" index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] language = "kuery" license = "Elastic License v2" name = "Potential Active Directory Replication Account Backdoor" note = """## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure) ``` """ references = [ "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set" ] risk_score = 47 rule_id = "f8822053-a5d2-46db-8c96-d460b12c36ac" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"] timestamp_override = "event.ingested" type = "query" query = ''' event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and winlog.event_data.AttributeValue : ( ( *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-* ) ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1003" reference = "https://attack.mitre.org/techniques/T1003/" name = "OS Credential Dumping" [[rule.threat.technique.subtechnique]] id = "T1003.006" reference = "https://attack.mitre.org/techniques/T1003/006/" name = "DCSync" [rule.threat.tactic] id = "TA0006" reference = "https://attack.mitre.org/tactics/TA0006/" name = "Credential Access"