AdminSDHolder SDProp Exclusion Added

Author: Elastic
Source: upstream

Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts, `T1078.002` Valid Accounts: Domain Accounts
Persistence	`T1078` Valid Accounts, `T1078.002` Valid Accounts: Domain Accounts, `T1098` Account Manipulation
Privilege Escalation	`T1078` Valid Accounts, `T1078.002` Valid Accounts: Domain Accounts, `T1098` Account Manipulation, `T1484` Domain or Tenant Policy Modification
Defense Evasion	`T1078` Valid Accounts, `T1078.002` Valid Accounts: Domain Accounts, `T1484` Domain or Tenant Policy Modification

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `eql:any`

winlog.event_data.AttributeLDAPDisplayName:"dSHeuristics" and winlog.event_data.AttributeValue:"[0-9]{15}([1-9a-f]).*"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.