Windows active directory user backdoors
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects Active Directory user account backdoor configurations through delegation settings and LDAP attribute modifications.
Strategy
This rule monitors Active Directory user account modifications related to delegation permissions and service principal names. The detection tracks user account modifications through event ID 4738 when delegation permissions are modified, and event ID 5136 for LDAP attribute changes including msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentity, and servicePrincipalName attributes. These modifications can enable unauthorized access and impersonation capabilities within the Active Directory environment.
Triage & Response
- Examine the modified user account properties and determine if the delegation permissions were authorized by reviewing the
{{@usr.id}} making the changes. - Validate if the service principal name changes on the affected user accounts align with legitimate business requirements.
- Review the delegation targets specified in
AllowedToDelegateTo attributes to ensure they are authorized services. - Analyze authentication patterns for the modified accounts to identify any suspicious delegation or impersonation activity.
- Restrict delegation permissions to only necessary service accounts.
