security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules_building_block/defense_evasion_write_dac_access.toml
T
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
2026-04-01 09:12:42 -05:00

94 lines
2.8 KiB
TOML
Raw Permalink Blame History

[metadata]
creation_date = "2023/08/15"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write
Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated
with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other
compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation,
lateral movement, and persistence.
"""
from = "now-119m"
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"]
interval = "60m"
language = "kuery"
license = "Elastic License v2"
name = "WRITEDAC Access on Active Directory Object"
references = [
"https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf",
]
risk_score = 21
rule_id = "f5861570-e39a-4b8a-9259-abd39f84cb97"
setup = """## Setup
The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Access (Success,Failure)
```
"""
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
"Rule Type: BBR",
"Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
host.os.type: "windows" and event.action : ("Directory Service Access" or "object-operation-performed") and
event.code : "4662" and winlog.event_data.AccessMask:"0x40000"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[[rule.threat.technique.subtechnique]]
id = "T1222.001"
name = "Windows File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink