detection-rules
detection-rules copied to clipboard
elastic
[Meta] Explore Detection Opportunities on Active Directory Object Ownership and Privilege Assignment
Parent Epic
https://github.com/elastic/ia-trade-team/issues/276
Summary
Explore how attackers abuse object ownership issues for privilege escalation, lateral movement, and persistence.
- [ ] Read the whitepaper and decide on scenarios that can be simulated with low to medium effort
- [ ] Document and do it
- [ ] Ship detections and hunting queries
- [ ] STRETCH: Ingest Pipelines to parse basic SDDL
Resources:
- https://www.hub.trimarcsecurity.com/post/trimarc-whitepaper-owner-or-pwnd
- https://happycamper84.medium.com/get-acl-cheatsheet-f7871edf247f
- https://happycamper84.medium.com/dangerous-rights-cheatsheet-33e002660c1d
- https://happycamper84.medium.com/sddl-what-is-it-does-it-matter-2e5aeaa43b91
PRs
- TBD
DACL Abuse: User-Force-Change-Password
event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
winlog.event_data.AttributeValue : *00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-*
Update Oct 22
Pushed to Q3 to support the crowd strike 3rd Party EDR work.
TrustedSec did an awesome series that covers a lot of my DACL-based detection ideas:
- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a
- https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-part-1b
- https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-part-2
- https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-part-3
- https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-the-addendum