Tanaka Zakku
38 lines
1.5 KiB
YAML
38 lines
1.5 KiB
YAML
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
|
|
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
|
|
date: 2019/04/03
|
|
description: backdooring domain object to grant the rights associated with DCSync
|
|
to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
|
|
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 5136
|
|
SELECTION_2:
|
|
AttributeLDAPDisplayName: ntSecurityDescriptor
|
|
SELECTION_3:
|
|
AttributeValue: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
|
|
SELECTION_4:
|
|
AttributeValue: '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
|
|
SELECTION_5:
|
|
AttributeValue: '*89e95b76-444d-4c62-991a-0facbeda640c*'
|
|
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
|
|
falsepositives:
|
|
- New Domain Controller computer account, check user SIDs within the value attribute
|
|
of event 5136 and verify if it's a regular user or DC computer account.
|
|
id: 2c99737c-585d-4431-b61a-c911d86ff32f
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
modified: 2021/07/09
|
|
references:
|
|
- https://twitter.com/menasec1/status/1111556090137903104
|
|
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
|
|
status: experimental
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1098
|
|
yml_filename: win_account_backdoor_dcsync_rights.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|