Detection rules › Elastic
Potential Active Directory Replication Account Backdoor
Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
| Privilege Escalation | T1098 Account Manipulation |
| Credential Access | T1003 OS Credential Dumping, T1003.006 OS Credential Dumping: DCSync |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: kql:query
winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and winlog.event_data.AttributeValue:"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-" and winlog.event_data.AttributeValue:"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-" and winlog.event_data.AttributeValue:"89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-"Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
winlog.event_data.AttributeLDAPDisplayName | eq |
|
winlog.event_data.AttributeValue | wildcard |
|