IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Active Directory Replication Account Backdoor
editPotential Active Directory Replication Account Backdoor
editIdentifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-system.security*
- logs-windows.forwarded*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml
- https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all
- https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes
- https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Active Directory
- Use Case: Active Directory Monitoring
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editSetup
editThe Audit Directory Service Changes logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)
Rule query
editevent.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
winlog.event_data.AttributeValue : (
(
*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
*89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*
)
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Sub-technique:
- Name: DCSync
- ID: T1003.006
- Reference URL: https://attack.mitre.org/techniques/T1003/006/