garis · January 7, 2022 08:48
diff --git a/DCsync dangerous extended right b/DCsync dangerous extended right
 Splunk query to detect when an account is adding extended right that can be leverage to perform a DCsync attack.

 Windows event code monitored: 5136.
 extended rights monitored:
 https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes
 https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all
 https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set

 Query:

 index=wineventlog EventCode=5136 host="dc.windomain.local" AND (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 OR 89e95b76-444d-4c62-991a-0facbeda640c)
 |rex field=Message max_match=0 "\((?<Attribute_Permissions>.*?)\)"
 | mvexpand Type
 | search Type="Value Added" OR Type="Value Deleted"
 | mvexpand Attribute_Permissions
 | search Attribute_Permissions="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Attribute_Permissions="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR Attribute_Permissions="*89e95b76-444d-4c62-991a-0facbeda640c*"
 | rex field=Attribute_Permissions max_match=1 "(?<Extended_Rights>[^;]+);;(?<objectSid>[^;]+)$"
 | search objectSid!="DD" AND objectSid!="BA" AND objectSid!="ED" AND Attribute_Permissions!="*-498"
 | eval Extended_Rights_Description=case(Extended_Rights == "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "DS-Replication-Get-Changes (extended right needed to replicate changes from a given NC, a logical portion of the Microsoft's Active Directory)", Extended_Rights == "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "DS-Replication-Get-Changes-All (control access right that allows the replication of secret domain data)", Extended_Rights == "89e95b76-444d-4c62-991a-0facbeda640c", "DS-Replication-Get-Changes-In-Filtered-Set")
 | table _time, Account_Name,DN,Attribute_Permissions,objectSid,Extended_Rights,Extended_Rights_Description,Type,Correlation_ID
 | stats values(*) AS *, distinct_count(Type) AS count_actions by objectSid,Extended_Rights,Correlation_ID
 | strcat "The account " Account_Name " assigned the new right " Extended_Rights ": " Extended_Rights_Description " to the Object SID " objectSid extra1
 | search count_actions=1 AND Type="Value Added"
	Splunk query to detect when an account is adding extended right that can be leverage to perform a DCsync attack.

	Windows event code monitored: 5136.
	extended rights monitored:
	https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes
	https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all
	https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set

	Query:

	index=wineventlog EventCode=5136 host="dc.windomain.local" AND (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 OR 89e95b76-444d-4c62-991a-0facbeda640c)
	\|rex field=Message max_match=0 "\((?<Attribute_Permissions>.*?)\)"
	\| mvexpand Type
	\| search Type="Value Added" OR Type="Value Deleted"
	\| mvexpand Attribute_Permissions
	\| search Attribute_Permissions="1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR Attribute_Permissions="1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR Attribute_Permissions="89e95b76-444d-4c62-991a-0facbeda640c"
	\| rex field=Attribute_Permissions max_match=1 "(?<Extended_Rights>[^;]+);;(?<objectSid>[^;]+)$"
	\| search objectSid!="DD" AND objectSid!="BA" AND objectSid!="ED" AND Attribute_Permissions!="*-498"
	\| eval Extended_Rights_Description=case(Extended_Rights == "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "DS-Replication-Get-Changes (extended right needed to replicate changes from a given NC, a logical portion of the Microsoft's Active Directory)", Extended_Rights == "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "DS-Replication-Get-Changes-All (control access right that allows the replication of secret domain data)", Extended_Rights == "89e95b76-444d-4c62-991a-0facbeda640c", "DS-Replication-Get-Changes-In-Filtered-Set")
	\| table _time, Account_Name,DN,Attribute_Permissions,objectSid,Extended_Rights,Extended_Rights_Description,Type,Correlation_ID
	\| stats values() AS , distinct_count(Type) AS count_actions by objectSid,Extended_Rights,Correlation_ID
	\| strcat "The account " Account_Name " assigned the new right " Extended_Rights ": " Extended_Rights_Description " to the Object SID " objectSid extra1
	\| search count_actions=1 AND Type="Value Added"