when there is a change to ntsecuritydescriptor, windows logs the entire acl with the newly added components. if existing accounts are present with this permission, they will raise an alert each time the ntsecuritydescriptor is updated unless whitelisted.

Techniques

T1484

Sample rules

Windows AD Domain Replication ACL Addition

source: splunk
technicques:
- T1484

Description

The following analytic detects the addition of the permissions necessary to perform a DCSync attack. In order to replicate AD objects, the initiating user or computer must have the following permissions on the domain. - DS-Replication-Get-Changes - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met.

Detection logic

`wineventlog_security`  
| rex field=AttributeValue max_match=10000 \"OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P<DSRGetChangesFiltered_user_sid>S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3})\)\"
| table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid
| mvexpand DSRGetChanges_user_sid
| eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,\"true\",\"false\"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,\"true\",\"false\")
| where minDCSyncPermissions=\"true\" 
| lookup identity_lookup_expanded  objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user 
| rename DSRGetChanges_user_sid as userSid 
| stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet
| `windows_ad_domain_replication_acl_addition_filter`