[Meta] Explore Detection Opportunities on Active Directory Default Groups Abuse

[w0rk3r]

Summary

Explore how attackers abuse default groups (DnsAdmins, Schema Admins, Server Operators, Backup Operators, etc.) to elevate privileges, maintain persistence, and execute payloads in domain servers and hosts,

### Tasks
- [x] Lab Creation
- [x] Undestand default domain groups and their privileges
- [x] Read, read, and read blog posts that explain the abuse of the privileges
- [x] Simulate abuse based on existing research
- [x] Detection Development

Goals

• Enhance coverage for attacks that target common misconfigurations in active directory environments.

Resources:

https://adsecurity.org/?p=3700 https://cube0x0.github.io/Pocing-Beyond-DA/ https://adsecurity.org/?p=4064 https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll

PRs

• https://github.com/elastic/detection-rules/pull/3717
• https://github.com/elastic/detection-rules/pull/3734
• https://github.com/elastic/endpoint-rules/pull/3540
• https://github.com/elastic/detection-rules/pull/3748
• https://github.com/elastic/detection-rules/pull/3757
• https://github.com/elastic/detection-rules/pull/3758
• https://github.com/elastic/detection-rules/pull/3763
• https://github.com/elastic/detection-rules/pull/3833
• https://github.com/elastic/detection-rules/pull/3835

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[w0rk3r]

Closing this one as the scoped work is completed.