detection.wiki

Detection rules › Splunk

Windows AD AdminSDHolder ACL Modified

Author
Mauricio Velazco, Dean Luxton, Splunk
Source
upstream

The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1546 Event Triggered Execution
Privilege EscalationT1546 Event Triggered Execution

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: search

search EventCode=5136 ObjectClass="container" ObjectDN="CN=AdminSDHolder,CN=System*"

Stage 2: stats

stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId

Stage 3: rex

rex field=old_value ...

Stage 4: rex

rex field=new_value ...

Stage 5: mvexpand

mvexpand

Stage 6: where

where NOT new_ace="old_values"

Stage 7: rex

rex field=new_ace ...

Stage 8: rex

rex field=aceAccessRights ...

Stage 9: rex

rex field=aceFlags ...

Stage 10: lookup

lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid

Stage 11: lookup

lookup <lookup> AccessRights, access_rights_string, access_rights_value

Stage 12: lookup

lookup <lookup> aceType, ace_type_string, ace_type_value

Stage 13: lookup

lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value

Stage 14: lookup

lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string

Stage 15: eval

eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)

Stage 16: stats

stats BY ObjectClass, ObjectDN, src_user, user

Stage 17: eval

eval ...

Stage 18: search

search NOT aceType IN ("*denied*", "D", "OD", "XD") aceAccessRights IN ("All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Full control", "Modify owner", "Modify permissions", "Write all properties", "CC", "CR", "DC", "DT", "SD", "SW", "WD", "WO", "WP")

Stage 19: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1new_aceeqold_values
1aceTypein*denied*, D, OD, XD

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 5136 corpus 22 (splunk 22)
ObjectClasseq
  • container
ObjectDNeq
  • "CN=AdminSDHolder,CN=System*"
aceAccessRightsin
  • "All extended rights" corpus 3 (splunk 3)
  • "All validated writes" corpus 3 (splunk 3)
  • "Create all child objects" corpus 3 (splunk 3)
  • "Delete all child objects" corpus 3 (splunk 3)
  • "Delete subtree" corpus 3 (splunk 3)
  • "Delete" corpus 3 (splunk 3)
  • "Full control" corpus 4 (splunk 4)
  • "Modify owner" corpus 3 (splunk 3)
  • "Modify permissions" corpus 3 (splunk 3)
  • "Write all properties" corpus 3 (splunk 3)
  • CC corpus 3 (splunk 3)
  • CR corpus 3 (splunk 3)
  • DC corpus 3 (splunk 3)
  • DT corpus 3 (splunk 3)
  • SD corpus 3 (splunk 3)
  • SW corpus 3 (splunk 3)
  • WD corpus 3 (splunk 3)
  • WO corpus 3 (splunk 3)
  • WP corpus 3 (splunk 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.