Elastic Security Detection Rules

AdminSDHolder SDProp Exclusion Added

Last updated 2 months ago on 2025-11-14
Created 4 years ago on 2022-02-24

About

Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: PersistenceData Source: Active DirectoryUse Case: Active Directory MonitoringData Source: Windows Security Event LogsLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-system.security*logs-windows.forwarded*winlogbeat-*
Related Integrations

system(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query
text code block:
any where host.os.type == "windows" and event.code == "5136" and
  winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and
  length(winlog.event_data.AttributeValue) > 15 and
  winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*"

Install detection rules in Elastic Security

Detect AdminSDHolder SDProp Exclusion Added in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).