Active Directory User ACL Modification with Dangerous Permissions

This detection focuses on identifying potentially malicious modifications to Access Control Lists (ACLs) on Active Directory user objects. Attackers may modify user object ACLs to grant themselves or other accounts elevated privileges, enabling them to perform unauthorized actions within the domain. The activity is detected by monitoring Windows Event Log Security event ID 5136, which records changes to Active Directory objects. The detection specifically looks for the addition of dangerous permissions, such as “Full control,” “All extended rights,” “All validated writes,” and rights to create, delete, or modify child objects. Successful exploitation of this technique can lead to complete domain compromise.

Attack Chain

1. The attacker gains initial access to a system within the Active Directory environment, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker uses tools like PowerShell or native Windows utilities (e.g., dsacls.exe) to interact with Active Directory.
3. The attacker identifies a target Active Directory user object.
4. The attacker modifies the ACL of the target user object using commands that grant dangerous permissions, such as “Full control,” “Modify permissions,” or “Modify owner”.
5. The attacker’s actions generate Windows Event Log Security event ID 5136. The event contains information about the object modified, the user who made the change, and the permissions added.
6. The attacker leverages the newly granted permissions to escalate their privileges within the Active Directory domain.
7. The attacker performs further malicious activities, such as creating new accounts, modifying group memberships, or exfiltrating sensitive data.
8. The attacker achieves their final objective, such as complete domain compromise or data theft.

Impact

Successful modification of Active Directory user object ACLs can lead to significant privilege escalation, potentially granting attackers complete control over the Active Directory domain. This can lead to data breaches, service disruption, and significant financial losses. The scope of the impact depends on the permissions granted and the attacker’s objectives.

Recommendation

• Enable Active Directory auditing to generate Windows Event Log Security events, specifically event ID 5136, to capture ACL modification activity. (Windows Event Log Security 5136)
• Deploy the Sigma rule “Detect Windows AD Dangerous User ACL Modification” to your SIEM to detect suspicious ACL modifications. (Sigma rule)
• Investigate any alerts generated by the Sigma rule to determine if the ACL modification was legitimate or malicious. (Sigma rule)
• Review and restrict the use of command-line tools such as dsacls.exe and PowerShell scripts for managing Active Directory ACLs.
• Implement the filter from the detection rule windows_ad_dangerous_user_acl_modification_filter to reduce false positives.
• Ensure that SID resolution lookups are configured correctly for your environment.