title: AD Object WriteDAC Access id: 028c7842-4243-41cd-be6f-12f3cf1a26c7 description: Detects WRITE_DAC access to a domain object status: experimental date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md tags: - attack.defense_evasion - attack.t1222 logsource: product: windows service: security detection: selection: EventID: 4662 ObjectServer: 'DS' AccessMask: 0x40000 ObjectType: - '19195a5b-6da0-11d0-afd3-00c04fd930c9' - 'domainDNS' condition: selection falsepositives: - Unknown level: critical