[Meta] Explore Detection Opportunities on Active Directory Object Ownership and Privilege Assignment

[w0rk3r]

Parent Epic

https://github.com/elastic/ia-trade-team/issues/276

Summary

Explore how attackers abuse object ownership issues for privilege escalation, lateral movement, and persistence.

• Read the whitepaper and decide on scenarios that can be simulated with low to medium effort
• Document and do it
• Ship detections and hunting queries
• STRETCH: Ingest Pipelines to parse basic SDDL

Resources:

• https://www.hub.trimarcsecurity.com/post/trimarc-whitepaper-owner-or-pwnd
• https://happycamper84.medium.com/get-acl-cheatsheet-f7871edf247f
• https://happycamper84.medium.com/dangerous-rights-cheatsheet-33e002660c1d
• https://happycamper84.medium.com/sddl-what-is-it-does-it-matter-2e5aeaa43b91

PRs

• TBD

[w0rk3r]

DACL Abuse: User-Force-Change-Password

event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
  winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
  winlog.event_data.AttributeValue : *00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-*

[Mikaayenson]

Update Oct 22

Pushed to Q3 to support the crowd strike 3rd Party EDR work.