WRITEDAC Access on Active Directory Object
editWRITEDAC Access on Active Directory Object
editIdentifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Active Directory
- Use Case: Active Directory Monitoring
- Rule Type: BBR
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.action:"Directory Service Access" and event.code:"5136" and winlog.event_data.AccessMask:"0x40000"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: File and Directory Permissions Modification
- ID: T1222
- Reference URL: https://attack.mitre.org/techniques/T1222/
-
Sub-technique:
- Name: Windows File and Directory Permissions Modification
- ID: T1222.001
- Reference URL: https://attack.mitre.org/techniques/T1222/001/