SigmaHQ/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

29 lines
1.2 KiB
YAML

title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
id: 2c99737c-585d-4431-b61a-c911d86ff32f
description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
tags:
- attack.credential_access
- attack.persistence
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
LDAPDisplayName: 'ntSecurityDescriptor'
Value|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
condition: selection
falsepositives:
- New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: critical