detection.wiki

Detection rules › Sigma

AdminSDHolder permissions changed for persistence

Status
experimental
Severity
high
Log source
product windows, service security
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where an attacker changes permissions on the AdminSDHolder container to establish persistence.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1546 Event Triggered Execution

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 5136A directory service object was modified.

Rule body yaml

title: AdminSDHolder permissions changed for persistence
description: Detects scenarios where an attacker changes permissions on the AdminSDHolder container to establish persistence.
requirements: auditing SACL "Modify permissions" must be placed on the "AdminSDHolder" container using the Active Directory console (https://www.manageengine.com/products/active-directory-audit/active-directory-auditing-configuration-guide-configure-object-level-auditing-manually.html).
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0003-Persistence/T1546-Event%20Triggered%20Execution
- https://adsecurity.org/?p=1906
- https://stealthbits.com/blog/20170619persistence-using-adminsdholder-and-sdprop/
- https://attack.stealthbits.com/adminsdholder-modification-ad-persistence
- https://adds-security.blogspot.com/2017/08/adminsdholder-backdoor-via-substitution.html
- https://www.netwrix.com/adminsdholder_modification_ad_persistence.html
- https://www.sentinelone.com/blog/protecting-your-active-directory-from-adminsdholder-attacks/
- https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/
tags:
- attack.persistence
- attack.t1546
author: mdecrevoisier
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5136
    OperationType: '%%14674' # Value added
    AttributeLDAPDisplayName: nTSecurityDescriptor
    ObjectDN|startswith: CN=AdminSDHolder,CN=System,*
  condition: selection
falsepositives:
- Unknown
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
  EventID: 5136
  OperationType: '%%14674'
  AttributeLDAPDisplayName: nTSecurityDescriptor
  ObjectDN|startswith: CN=AdminSDHolder,CN=System,*

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AttributeLDAPDisplayNameeq
  • nTSecurityDescriptor corpus 7 (sigma 6, elastic 1)
ObjectDNstarts_with
  • CN=AdminSDHolder,CN=System,*
OperationTypeeq
  • %%14674 corpus 17 (sigma 9, elastic 4, splunk 4)