detection.wiki

Detection rules › Splunk

Windows AD Dangerous Group ACL Modification

Author
Dean Luxton
Source
upstream

This detection monitors the addition of the following ACLs to an Active Directory group object: "Full control", "All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify permissions", "Modify owner", and "Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1484 Domain or Tenant Policy Modification
Defense EvasionT1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484 Domain or Tenant Policy Modification

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: search

search EventCode=5136 ObjectClass="group"

Stage 2: stats

stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId

Stage 3: rex

rex field=old_value ...

Stage 4: rex

rex field=new_value ...

Stage 5: mvexpand

mvexpand

Stage 6: where

where NOT new_ace="old_values"

Stage 7: rex

rex field=new_ace ...

Stage 8: rex

rex field=aceAccessRights ...

Stage 9: rex

rex field=aceFlags ...

Stage 10: lookup

lookup <lookup> aceType, ace_type_string, ace_type_value

Stage 11: lookup

lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value

Stage 12: lookup

lookup <lookup> AccessRights, access_rights_string, access_rights_value

Stage 13: lookup

lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid

Stage 14: lookup

lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string

Stage 15: eval

eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)

Stage 16: stats

stats BY _time, ObjectClass, ObjectDN, src_user, SubjectLogonId, user, OpCorrelationID

Stage 17: eval

eval ...

Stage 18: search

search NOT aceType IN ("*denied*", "D", "OD", "XD") aceAccessRights IN ("All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Full control", "Modify owner", "Modify permissions", "Write all properties", "CC", "CR", "DC", "DT", "SD", "SW", "WD", "WO", "WP")

Stage 19: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1new_aceeqold_values
1aceTypein"*denied*", "D", "OD", "XD"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 5136 corpus 22 (splunk 22)
ObjectClasseq
  • group
aceAccessRightsin
  • "All extended rights" corpus 3 (splunk 3)
  • "All validated writes" corpus 3 (splunk 3)
  • "Create all child objects" corpus 3 (splunk 3)
  • "Delete all child objects" corpus 3 (splunk 3)
  • "Delete subtree" corpus 3 (splunk 3)
  • "Delete" corpus 3 (splunk 3)
  • "Full control" corpus 4 (splunk 4)
  • "Modify owner" corpus 3 (splunk 3)
  • "Modify permissions" corpus 3 (splunk 3)
  • "Write all properties" corpus 3 (splunk 3)
  • CC corpus 3 (splunk 3)
  • CR corpus 3 (splunk 3)
  • DC corpus 3 (splunk 3)
  • DT corpus 3 (splunk 3)
  • SD corpus 3 (splunk 3)
  • SW corpus 3 (splunk 3)
  • WD corpus 3 (splunk 3)
  • WO corpus 3 (splunk 3)
  • WP corpus 3 (splunk 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.