Windows AD Dangerous User ACL Modification

Author: Dean Luxton
Source: upstream

This detection monitors the addition of the following ACLs to an Active Directory user object: "Full control","All extended rights","All validated writes", "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1484` Domain or Tenant Policy Modification
Defense Evasion	`T1222.001` File and Directory Permissions Modification: Windows File and Directory Permissions Modification, `T1484` Domain or Tenant Policy Modification

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `search`

search EventCode=5136 ObjectClass="user"

Stage 2: `stats`

stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId

Stage 3: `rex`

rex field=old_value ...

Stage 4: `rex`

rex field=new_value ...

Stage 5: `mvexpand`

mvexpand

Stage 6: `where`

where NOT new_ace="old_values"

Stage 7: `rex`

rex field=new_ace ...

Stage 8: `rex`

rex field=aceAccessRights ...

Stage 9: `rex`

rex field=aceFlags ...

Stage 10: `lookup`

lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid

Stage 11: `lookup`

lookup <lookup> AccessRights, access_rights_string, access_rights_value

Stage 12: `lookup`

lookup <lookup> aceType, ace_type_string, ace_type_value

Stage 13: `lookup`

lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value

Stage 14: `lookup`

lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string

Stage 15: `eval`

eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)

Stage 16: `stats`

stats BY _time, ObjectClass, ObjectDN, src_user, SubjectLogonId, user, OpCorrelationID

Stage 17: `eval`

eval ...

Stage 18: `search`

search NOT aceType IN ("*denied*", "D", "OD", "XD") aceAccessRights IN ("All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Full control", "Modify owner", "Modify permissions", "Write all properties", "CC", "CR", "DC", "DT", "SD", "SW", "WD", "WO", "WP")

Stage 19: `search`

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`new_ace`	eq	`old_values`
1	`aceType`	in	`denied`, `D`, `OD`, `XD`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`5136` corpus 22 (splunk 22)
`ObjectClass`	eq	`user` corpus 4 (splunk 2, sigma 1, elastic 1)
`aceAccessRights`	in	`"All extended rights"` corpus 3 (splunk 3) `"All validated writes"` corpus 3 (splunk 3) `"Create all child objects"` corpus 3 (splunk 3) `"Delete all child objects"` corpus 3 (splunk 3) `"Delete subtree"` corpus 3 (splunk 3) `"Delete"` corpus 3 (splunk 3) `"Full control"` corpus 4 (splunk 4) `"Modify owner"` corpus 3 (splunk 3) `"Modify permissions"` corpus 3 (splunk 3) `"Write all properties"` corpus 3 (splunk 3) `CC` corpus 3 (splunk 3) `CR` corpus 3 (splunk 3) `DC` corpus 3 (splunk 3) `DT` corpus 3 (splunk 3) `SD` corpus 3 (splunk 3) `SW` corpus 3 (splunk 3) `WD` corpus 3 (splunk 3) `WO` corpus 3 (splunk 3) `WP` corpus 3 (splunk 3)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows AD ServicePrincipalName Added To Domain Account [splunk] (adds 2 filters) (first-stage match only; downstream stages may differ)

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Windows AD Dangerous Deny ACL Modification [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Object Owner Updated [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Self DACL Assignment [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)

Windows AD Dangerous User ACL Modification

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: rex

Stage 4: rex

Stage 5: mvexpand

Stage 6: where

Stage 7: rex

Stage 8: rex

Stage 9: rex

Stage 10: lookup

Stage 11: lookup

Stage 12: lookup

Stage 13: lookup

Stage 14: lookup

Stage 15: eval

Stage 16: stats

Stage 17: eval

Stage 18: search

Stage 19: search