Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1222-file-and-directory-permissions-modification

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects an instance where a user or process modifies the Discretionary Access Control List (DACL) of an Active Directory (AD) object.

Strategy

This detection monitors Windows Security event logs for occurrences of Event ID 4662 (An operation was performed on an object) with specific indicators of DACL modifications.

DACL modifications in Active Directory can be used to grant specific permissions to accounts, allowing attackers to maintain persistence even after credentials are changed. This technique is particularly concerning when applied to high-value objects like domain controllers or administrative groups.

Triage & Response

• Identify the {{host}} domain controller that recorded the DACL modification event.
• Examine which account performed the WriteDAC operation by reviewing the SubjectUserName field.
• Determine which AD object was modified by reviewing the ObjectName field.
• Check whether the object modified is a high-value target such as a user, group, or critical AD structure.
• Correlate with Event ID 4670 which indicates that permissions on an object were changed.
• Look for new or suspicious security principals added to the DACL using Active Directory tools.
• Review Event ID 4728, 4732, 4756 (Group Membership Changes) to check if the affected object was added to privileged groups.
• Check if the same account recently requested DCSync permissions.
• Determine whether the modification was part of normal administrative activity or unauthorized.
• Disable the account that performed the modification if suspicious activity is confirmed.
• Revert unauthorized ACL modifications using PowerShell or Active Directory tools.