elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.97k stars 505 forks source link

[Meta] Explore Detection Opportunities on Active Directory Object Ownership issues #3522

Open w0rk3r opened 8 months ago

w0rk3r commented 8 months ago

Parent Epic (If Applicable)

https://github.com/elastic/ia-trade-team/issues/276

Summary

Explore how attackers abuse object ownership issues for privilege escalation, lateral movement, and persistence.

### Tasks
- [ ] TBD

Goals

Resources:

https://www.hub.trimarcsecurity.com/post/trimarc-whitepaper-owner-or-pwnd

PRs

w0rk3r commented 4 months ago

DACL Abuse: User-Force-Change-Password

event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
  winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
  winlog.event_data.AttributeValue : *00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-*
Mikaayenson commented 1 month ago

Update Oct 22

Pushed to Q3 to support the crowd strike 3rd Party EDR work.