Windows active directory object WriteDAC access
Goal
Detects an instance where a user or process modifies the Discretionary Access Control List (DACL) of an Active Directory (AD) object.
Strategy
This detection monitors Windows Security event logs for occurrences of Event ID 4662 (An operation was performed on an object) with specific indicators of DACL modifications.
DACL modifications in Active Directory can be used to grant specific permissions to accounts, allowing attackers to maintain persistence even after credentials are changed. This technique is particularly concerning when applied to high-value objects like domain controllers or administrative groups.
Triage & Response
- Identify the
{{host}} domain controller that recorded the DACL modification event. - Examine which account performed the WriteDAC operation by reviewing the
SubjectUserName field. - Determine which AD object was modified by reviewing the
ObjectName field. - Check whether the object modified is a high-value target such as a user, group, or critical AD structure.
- Correlate with Event ID 4670 which indicates that permissions on an object were changed.
- Look for new or suspicious security principals added to the DACL using Active Directory tools.
- Review Event ID 4728, 4732, 4756 (Group Membership Changes) to check if the affected object was added to privileged groups.
- Check if the same account recently requested DCSync permissions.
- Determine whether the modification was part of normal administrative activity or unauthorized.
- Disable the account that performed the modification if suspicious activity is confirmed.
- Revert unauthorized ACL modifications using PowerShell or Active Directory tools.
