Detectioncriticaltest

AD Object WriteDAC Access

Detects WRITE_DAC access to a domain object

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g)Created Thu Sep 12Updated Sat Nov 27028c7842-4243-41cd-be6f-12f3cf1a26c7windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4662
        ObjectServer: 'DS'
        AccessMask: '0x40000'
        ObjectType:
            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
            - 'domainDNS'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

threathunterplaybook.com

Resolving title…

threathunterplaybook.com

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Other

attack.t1222.001

Rule Metadata

Rule ID

028c7842-4243-41cd-be6f-12f3cf1a26c7

Status

test

Level

critical

Type

Detection

Created

Thu Sep 12

Modified

Sat Nov 27

Author

Roberto Rodriguez (Cyb3rWard0g)

Path

rules/windows/builtin/security/win_security_ad_object_writedac_access.yml

Raw Tags

attack.defense-evasionattack.t1222.001

View on GitHub