valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
48d95f027c
SigmaHQ/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

29 lines
1.2 KiB
YAML
Raw Normal View History

Create win_account_backdoor_dcsync_rights.yml
2019-04-03 14:16:05 +00:00
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 2c99737c-585d-4431-b61a-c911d86ff32f
description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 14:16:05 +00:00
status: experimental
date: 2019/04/03
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml
2019-10-24 12:34:16 +00:00
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 14:16:05 +00:00
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
tags:
- attack.credential_access
- attack.persistence
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
LDAPDisplayName: 'ntSecurityDescriptor'
oscd task #6 done. add 25 new rules: - win_ad_replication_non_machine_account.yml - win_dpapi_domain_backupkey_extraction.yml - win_protected_storage_service_access.yml - win_dpapi_domain_masterkey_backup_attempt.yml - win_sam_registry_hive_handle_request.yml - win_sam_registry_hive_dump_via_reg_utility.yml - win_lsass_access_non_system_account.yml - win_ad_object_writedac_access.yml - powershell_alternate_powershell_hosts.yml - sysmon_remote_powershell_session_network.yml - win_remote_powershell_session.yml - win_scm_database_handle_failure.yml - win_scm_database_privileged_operation.yml - sysmon_wmi_module_load.yml - sysmon_remote_powershell_session_process.yml - sysmon_rdp_registry_modification.yml - sysmon_powershell_execution_pipe.yml - sysmon_alternate_powershell_hosts_pipe.yml - sysmon_powershell_execution_moduleload.yml - sysmon_createremotethread_loadlibrary.yml - sysmon_alternate_powershell_hosts_moduleload.yml - powershell_remote_powershell_session.yml - win_non_interactive_powershell.yml - win_syskey_registry_access.yml - win_wmiprvse_spawning_process.yml improve 1 rule: - rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
2019-11-10 15:43:41 +00:00
Value|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
Create win_account_backdoor_dcsync_rights.yml
2019-04-03 14:16:05 +00:00
condition: selection
falsepositives:
- New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: critical
Reference in New Issue Copy Permalink