new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.

t1098
windows
sigma

Techniques

t1098

Sample rules

Powerview Add-DomainObjectAcl DCSync AD Extend Right

source: sigma
technicques:
- t1098

Description

Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_dns_object_class:
  ObjectClass:
  - dnsNode
  - dnsZoneScope
  - dnsZone
selection:
  AttributeLDAPDisplayName: ntSecurityDescriptor
  AttributeValue|contains:
  - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
  - 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
  - 89e95b76-444d-4c62-991a-0facbeda640c
  EventID: 5136