[Meta] Explore Detection Opportunities on Active Directory Default Groups Abuse

[w0rk3r]

Summary

Explore how attackers abuse default groups (DnsAdmins, Schema Admins, Server Operators, Backup Operators, etc.) to elevate privileges, maintain persistence, and execute payloads in domain servers and hosts,

### Tasks
- [x] Lab Creation
- [x] Undestand default domain groups and their privileges
- [x] Read, read, and read blog posts that explain the abuse of the privileges
- [x] Simulate abuse based on existing research
- [x] Detection Development

Goals

• Enhance coverage for attacks that target common misconfigurations in active directory environments.

Resources:

https://adsecurity.org/?p=3700
https://cube0x0.github.io/Pocing-Beyond-DA/
https://adsecurity.org/?p=4064
https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll

PRs

• [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717
• [New Rule] DNS Global Query Block List Modified or Disabled #3734
• https://github.com/elastic/endpoint-rules/pull/3540
• [New Rule] Potential WPAD Spoofing via DNS Record Creation #3748
• [New Rule] Potential Privilege Escalation via Service ImagePath Modification #3757
• [New Rule] NTDS Dump via Wbadmin #3758
• [Rule Tuning] User Added to Privileged Group #3763
• [New Rule] AD Group Modification by SYSTEM #3833
• [New Rule] [BBR] Active Directory Object Modification by SYSTEM #3835

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.