Detection rules › Splunk
Windows AD Dangerous Deny ACL Modification
This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484 Domain or Tenant Policy Modification |
| Defense Evasion | T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484 Domain or Tenant Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search EventCode=5136
Stage 2: stats
stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId
Stage 3: rex
rex field=old_value ...
Stage 4: rex
rex field=new_value ...
Stage 5: mvexpand
mvexpand
Stage 6: where
where NOT new_ace="old_values"
Stage 7: rex
rex field=new_ace ...
Stage 8: rex
rex field=aceAccessRights ...
Stage 9: rex
rex field=aceFlags ...
Stage 10: lookup
lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid
Stage 11: lookup
lookup <lookup> AccessRights, access_rights_string, access_rights_value
Stage 12: lookup
lookup <lookup> aceType, ace_type_string, ace_type_value
Stage 13: lookup
lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value
Stage 14: lookup
lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string
Stage 15: eval
eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)
Stage 16: stats
stats BY _time, ObjectClass, ObjectDN, src_user, SubjectLogonId, user, OpCorrelationID
Stage 17: eval
eval ...
Stage 18: search
search aceAccessRights IN ("Full control", "Read permissions", "RC") aceType IN ("Access denied", "D")
Stage 19: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | new_ace | eq | old_values |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
aceAccessRights | in |
|
aceType | in |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows AD GPO Disabled (adds 3 filters)
- Windows AD ServicePrincipalName Added To Domain Account (adds 3 filters)
- Windows Default Group Policy Object Modified (adds 3 filters)
- Windows AD AdminSDHolder ACL Modified (adds 2 filters)
- Windows AD GPO New CSE Addition (adds 2 filters)
- Windows AD SID History Attribute Modified (adds 2 filters)
- Windows AD Suspicious Attribute Modification (adds 2 filters)
- Windows AD Dangerous Group ACL Modification (adds 1 filter)
- Windows AD Dangerous User ACL Modification (adds 1 filter)
- Windows AD DCShadow Privileges ACL Addition (adds 1 filter)
- Windows AD Domain Replication ACL Addition (adds 1 filter)
- Windows AD Domain Root ACL Deletion (adds 1 filter)
- Windows AD Domain Root ACL Modification (adds 1 filter)
- Windows AD GPO Deleted (adds 1 filter)
- Windows AD Hidden OU Creation (adds 1 filter)
- Windows AD Short Lived Domain Account ServicePrincipalName (adds 1 filter)