title: AD Object WriteDAC Access
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
status: test
description: Detects WRITE_DAC access to a domain object
references:
    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
    - https://threathunterplaybook.com/library/windows/active_directory_replication.html
    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1222.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        ObjectServer: 'DS'
        AccessMask: '0x40000'
        ObjectType:
            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
            - 'domainDNS'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
    Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
    - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
    - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
    - https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1059
    - attack.t1222.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_proxy:
        # Note: Example command observed:  cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_fsutil_cli:
        CommandLine|contains|all:
            - 'fsutil'
            - 'behavior'
            - 'set'
            - 'SymlinkEvaluation'
    selection_symlink_params:
        CommandLine|contains:
            - 'R2L:1' # Remote to Local
            - 'R2R:1' # Remote to Remote
            - 'L2L:1' # Local to Local
    condition: all of selection_*
falsepositives:
    - Legitimate usage, investigate the parent process and context to determine if benign.
level: medium

title: Suspicious Recursive Takeown
id: 554601fb-9b71-4bcc-abf4-21a611be4fde
status: test
description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
author: frack113
date: 2022-01-30
modified: 2022-11-21
tags:
    - attack.defense-impairment
    - attack.t1222.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\takeown.exe'
        CommandLine|contains|all:
            - '/f '
            - '/r'
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium