AdminSDHolder SDProp Exclusion Added

Last updated 9 days ago on 2025-01-22

Created 3 years ago on 2022-02-24

About

Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: PersistenceData Source: Active DirectoryUse Case: Active Directory MonitoringData Source: SystemLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-system.*logs-windows.*

Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query

any where event.code == "5136" and
  winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and
  length(winlog.event_data.AttributeValue) > 15 and
  winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*"

Install detection rules in Elastic Security

Detect AdminSDHolder SDProp Exclusion Added in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).