SigmaHQ/rules/windows/builtin/win_ad_object_writedac_access.yml
2019-12-20 00:11:34 +01:00

24 lines
730 B
YAML

title: T1000 AD Object WriteDAC Access
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
description: Detects WRITE_DAC access to a domain object
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectServer: 'DS'
AccessMask: 0x40000
ObjectType:
- '19195a5b-6da0-11d0-afd3-00c04fd930c9'
- 'domainDNS'
condition: selection
falsepositives:
- Unknown
level: critical