This note documents detection patterns related to WriteDACL Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4670 | Permissions on an object were changed | Critical | WriteDACL abuse modifies the Discretionary Access Control List of AD objects. Review ObjectName and SubjectUserName. |
| Security | 5136 | Directory object modified | High | Attribute modifications may follow permission changes enabling privilege escalation. |
| Security | 4662 | An operation was performed on an object | High | Indicates LDAP operations modifying security descriptors or ACL entries. |
| Security | 4728 | Member added to security-enabled global group | Critical | Attacker may grant themselves privileges after modifying ACLs. |
| Security | 4732 | Member added to security-enabled local group | High | Used for privilege escalation after permission modification. |
| Sysmon | 1 | Process creation | Medium | Execution of PowerView, Impacket, or other LDAP manipulation tools. |
| Sysmon | 3 | Network connection | Medium | LDAP communication with domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unexpected ACL changes on privileged objects | Changes affecting Domain Admins, Enterprise Admins, or DC objects | Critical | Attacker granting themselves privileges. |
| Addition of new ACE entries | New Access Control Entries granting rights such as GenericAll or WriteDACL | Critical | Indicates attacker privilege escalation. |
| Rapid directory permission modifications | Multiple ACL modifications across objects | Medium | Possible automated attack chain. |
| Group membership changes following ACL modification | Privilege escalation shortly after DACL modification | Critical | Classic attack sequence. |
| LDAP modifications from unusual host | Directory modifications from workstation not normally administering AD | High | Possible attacker-controlled system. |
Common Tools
| Tool | Usage |
|---|---|
| PowerView | Modifies object ACLs using WriteDACL privileges. |
| Impacket | LDAP scripts used to modify directory permissions. |
| BloodHound | Identifies attack paths involving WriteDACL rights. |
| SharpHound | Collects privilege relationship data. |
| ADSIEdit | Manual modification of AD object permissions. |
Relevant Artifacts
- Domain controller Security logs (4670, 5136, 4662)
- Active Directory object metadata
- LDAP modification logs
- Sysmon logs (1, 3)
- EDR telemetry identifying AD manipulation tools
- Directory replication metadata
- Prefetch artifacts showing execution of PowerView or Impacket tools
MITRE ATT&CK References
- T1098 Account Manipulation
- T1484 Domain Policy Modification
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify permission modification events (4670).
- What host generated the event?
- Determine workstation performing LDAP modification.
- Is the account expected to perform this action?
- Investigate whether account normally manages directory permissions.
- Pivot:
- Source host → inspect execution of PowerView or Impacket tools.
- Account → review privileges and group memberships.
- Network → analyze LDAP traffic patterns.
- Confirm exploitation
- Determine whether attacker modified DACL to grant themselves privileges.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4670
| project TimeGenerated, SubjectUserName, ObjectName
SecurityEvent
| where EventID == 5136
| project TimeGenerated, SubjectUserName, ObjectDN
EQL
any where event.code == "4670"
Sigma
title: Suspicious Active Directory DACL Modification
id: writedacl-abuse-detection
status: experimental
description: Detects modification of AD object DACL potentially indicating WriteDACL abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 4670
condition: selection
fields:
- SubjectUserName
- ObjectName
falsepositives:
- Legitimate administrative permission changes
level: medium
tags:
- attack.privilege_escalation
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Audit AD ACLs for WriteDACL permissions | Critical | Removes unnecessary rights enabling privilege escalation. |
| Least privilege | Restrict who can modify directory permissions | High | Reduces abuse opportunities. |
| Monitoring | Alert on ACL modifications to sensitive objects | High | Detects privilege escalation attempts. |
| AD security review | Regularly review delegation permissions | High | Identifies risky configurations. |
| Change management | Require approval for permission changes | Medium | Reduces unauthorized modifications. |