← Library
splApache-2.0from splunk/security_content

Windows AD Self DACL Assignment

Detect when a user creates a new DACL in AD for their own AD object.

Quality
35
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_self_dacl_assignment.yml
`wineventlog_security`
EventCode=5136
| stats min(_time) as _time
        values(
          eval(
            if(OperationType=="%%14675",AttributeValue,null)
            )
        ) as old_value

        values(
          eval(
            if(OperationType=="%%14674" ,AttributeValue,null)
          )
        ) as new_value

        values(OperationType) as OperationType
by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId dest

| rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
| rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
| mvexpand new_ace
| where NOT new_ace IN (old_values)
| rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);(?P<aceInheritedTypeGuid>.*?);(?P<aceSid>.*?)$"
| rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
| rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"

| lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value as aceType
| lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value
| lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
| lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights

``` Optional SID resolution lookups
| lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user
| lookup admon_groups_def objectSid as aceSid OUTPUT cn as group
```

| lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group

| eval aceType = coalesce(ace_type_value, aceType),
       aceInheritance = coalesce(ace_flag_value, "This object only"),
       aceAccessRights = if(
                            aceAccessRights = "CCDCLCSWRPWPDTLOCRSDRCWDWO", "Full control", coalesce(access_rights_value,AccessRights)
                          ),
       aceControlAccessRights = if(
                              (
                                ControlAccessRights = "Write member"
                                OR
                                aceObjectGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
                              ) AND
                              (
                                aceAccessRights = "All validated writes"
                                OR
                                AccessRights = "SW"
                              ),
                              "Add/remove self as member",
                              coalesce(ControlAccessRights,aceObjectGuid)
                            ),
       user=coalesce(user, group, builtin_group, aceSid)

| stats values(aceType) as aceType
        values(aceInheritance) as aceInheritance
        values(aceControlAccessRights) as aceControlAccessRights
        values(aceAccessRights) as aceAccessRights
        values(new_ace) as new_ace
        values(aceInheritedTypeGuid) as aceInheritedTypeGuid

by _time ObjectClass ObjectDN src_user SubjectLogonId user OpCorrelationID dest

| eval aceControlAccessRights = if(
                                  mvcount(aceControlAccessRights) = 1
                                  AND
                                  aceControlAccessRights = "", "All rights", "aceControlAccessRights"
                                )
| rex field=user "\\\\(?P<nt_user>.*?)$"
| where lower(src_user)=lower(nt_user)
| `windows_ad_self_dacl_assignment_filter`