Open w0rk3r opened 8 months ago
DACL Abuse: User-Force-Change-Password
event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
winlog.event_data.AttributeValue : *00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-*
Pushed to Q3 to support the crowd strike 3rd Party EDR work.
Parent Epic (If Applicable)
https://github.com/elastic/ia-trade-team/issues/276
Summary
Explore how attackers abuse object ownership issues for privilege escalation, lateral movement, and persistence.
Goals
Resources:
https://www.hub.trimarcsecurity.com/post/trimarc-whitepaper-owner-or-pwnd
PRs