diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml new file mode 100644 index 0000000000..cda369d9ef --- /dev/null +++ b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml @@ -0,0 +1,83 @@ +name: Windows AD DCShadow ACL Addition +id: ae915743-1aa8-4a94-975c-8062ebc8b723 +version: 1 +date: '2023-11-10' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Security 5136 +description: Detect ACL modification event applying the minimum required extended rights to perform a DCShadow attack. +search: '`wineventlog_security` EventCode=5136 OperationType="%%14674" ObjectClass=domainDNS + | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;(?P.*?)\)" + | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;(?P.*?)\)" + | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;(?P.*?)\)" + | mvexpand DSInstallReplica_user + | eval DCShadowPermissions=if(DSInstallReplica_user=DSReplSync_user AND DSInstallReplica_user=DSReplManageTopology_user,"true","false"), permissions_applied=mvappend("DS-Install-Replica","DS-Replication-Synchronize","DS-Replication-Manage-Topology") + | where DCShadowPermissions="true" + | stats min(_time) as _time by src_user DSInstallReplica_user permissions_applied, SubjectLogonId, DSName + | rename SubjectLogonId as TargetLogonId, src_user as initiator, DSInstallReplica_user as target_user + | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] + | stats min(_time) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(target_user) as user, values(Computer) as dest, values(permissions_applied) as permissions_applied, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType by TargetLogonId + ``` uncomment to enable SID lookups as required + | lookup identity_lookup_expanded objectSid as user OUTPUT downLevelDomainName as translated_user + | lookup admon_groups_def objectSid as user OUTPUT cn as group_user + | eval user=if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}") AND translated_user like "%" OR group_user like "%",coalesce(translated_user,group_user),user) + | fields - translated_user group_user + ``` + | eval comment=mvappend(if(isnull(src_ip),"Finding: Rerun search over longer time-range to locate src_ip from the captured TargetLogonId",null),if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}"),"Finding: Captured SID could not be found in A&I lookup, ensure A&I lookup is configured, also check potential group SIDs for a match",null)) + | `windows_ad_dcshadow_acl_addition_filter`' +how_to_implement: See link in references for how to configure logging for these eventcodes. +known_false_positives: Unknown +references: +- https://www.labofapenetrationtester.com/2018/04/dcshadow.html +- https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1 +- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 100 + impact: 100 + message: $targetDomain$ ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack. + mitre_attack_id: + - T1484 + - T1207 + observable: + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim + - name: dest + type: Hostname + role: + - Victim + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 100 + required_fields: + - _time + - OperationType + - src_user + - AttributeLDAPDisplayName + - AttributeValue + - ObjectClass + - SubjectLogonId + - DSName + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log + source: XmlWinEventLog:Security + sourcetype: xmlwineventlog diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml new file mode 100644 index 0000000000..7db4848f5c --- /dev/null +++ b/detections/application/windows_ad_domain_root_acl_modification.yml @@ -0,0 +1,79 @@ +name: Windows AD Domain Root ACL Modification +id: 4981e2db-1372-440d-816e-3e7e2ed74433 +version: 1 +date: '2023-11-11' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Security 5136 +description: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage. +search: '`wineventlog_security` EventCode=5136 ObjectClass=domainDNS + | eval old_value=if(OperationType=="%%14675",AttributeValue,null), new_value=if(OperationType=="%%14674",AttributeValue,null) + | stats min(_time) as _time values(old_value) as old_value values(new_value) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId + | rex field=old_value max_match=10000 "\((?P.*?)\)" + | rex field=new_value max_match=10000 "\((?P.*?)\)" + | mvexpand new_ace + | where NOT new_ace IN (old_values) + | rex field=new_ace "(?P.*?);(?P.*?);(?P.*?);(?P.*?);;(?P.*?)$" + | rex max_match=100 field=aceAccessRights "(?P[A-Z]{2})" + | rex max_match=100 field=aceFlags "(?P[A-Z]{2})" + | lookup ace_control_access_rights_lookup.csv control_access_rights_guid as aceObjectGuid OUTPUT control_access_rights_value as ControlAccessRights + | lookup ace_access_rights_lookup.csv access_rights_string as AccessRights OUTPUT access_rights_value + | lookup ace_type_lookup.csv ace_type_string as aceType OUTPUT ace_type_value + | lookup ace_flag_lookup.csv flag_string as aceFlags OUTPUT flag_value as ace_flag_value + ``` Optional SID resolution lookups + | lookup identity_lookup_expanded objectSid as aceSid OUTPUT downLevelDomainName as user + | lookup admon_groups_def objectSid as aceSid OUTPUT cn as group ``` + | eval aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",'access_rights_value'), aceType=ace_type_value, aceFlags=coalesce(ace_flag_value,"This object only"), aceControlAccessRights=ControlAccessRights, user=coalesce(user, group, aceSid) + | stats values(user) as user values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace by _time ObjectClass ObjectDN src_user SubjectLogonId aceSid OpCorrelationID + | `windows_ad_domain_root_acl_modification_filter`' +how_to_implement: See link in references for how to configure logging for these eventcodes. Include lookups for SID resolution if evt_resolve_ad_obj is set to 0. +known_false_positives: Unknown +references: +- https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb +- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 100 + impact: 100 + message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$ + mitre_attack_id: + - T1484 + - T1222 + - T1222.001 + observable: + - name: user + type: User + role: + - Victim + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 100 + required_fields: + - _time + - OperationType + - ObjectDN + - OpCorrelationID + - src_user + - AttributeLDAPDisplayName + - AttributeValue + - ObjectClass + - SubjectLogonId + - DSName + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log + source: XmlWinEventLog:Security + sourcetype: xmlwineventlog diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 91403cb40d..38c06dd848 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -14,17 +14,25 @@ description: - DS-Replication-Get-Changes-All Certain Sync operations may require the additional permission of DS-Replication-Get-Changes-In-Filtered-Set. By default, adding DCSync permissions via the Powerview Add-ObjectACL operation adds all 3. This alert identifies where this trifecta has been met, and also where just the base level requirements have been met. -search: '`wineventlog_security` EventCode=5136 - | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?PS-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)" - | rex field=AttributeValue max_match=10000 "OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?PS-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)" - | rex field=AttributeValue max_match=10000 "OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?PS-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3})\)" - | table _time dest src_user DSRGetChanges_user_sid DSRGetChangesAll_user_sid DSRGetChangesFiltered_user_sid - | mvexpand DSRGetChanges_user_sid - | eval minDCSyncPermissions=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid,"true","false"), fullSet=if(DSRGetChanges_user_sid=DSRGetChangesAll_user_sid AND DSRGetChanges_user_sid=DSRGetChangesFiltered_user_sid,"true","false") - | where minDCSyncPermissions="true" - | lookup identity_lookup_expanded objectSid as DSRGetChanges_user_sid OUTPUT sAMAccountName as user - | rename DSRGetChanges_user_sid as userSid - | stats min(_time) as _time values(user) as user by dest src_user userSid minDCSyncPermissions fullSet +search: '`wineventlog_security` EventCode=5136 OperationType="%%14674" ObjectClass=domainDNS + | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;(?P(S-1-[ 0-59]-|\w+\\\).*?)\)" + | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;(?P(S-1-[ 0-59]-|\w+\\\).*?)\)" + | rex field=AttributeValue max_match=10000 "OA(;|;CI);CR;89e95b76-444d-4c62-991a-0facbeda640c;;(?P(S-1-[ 0-59]-|\w+\\\).*?)\)" + | mvexpand DSRGetChanges_user + | eval minDCSyncPermissions=if(DSRGetChanges_user=DSRGetChangesAll_user,"true","false"), fullSet=if(DSRGetChanges_user=DSRGetChangesAll_user AND DSRGetChanges_user=DSRGetChangesFiltered_user,"true","false") + | where minDCSyncPermissions="true" + | eval permissions_applied=mvappend(if(DSRGetChanges_user like "%","DS-Replication-Get-Changes",null),if(DSRGetChanges_user=DSRGetChangesAll_user,"DS-Replication-Get-Changes-All",null), if(DSRGetChanges_user=DSRGetChangesFiltered_user,"DS-Replication-Get-Changes-In-Filtered-Set",null)) + | stats min(_time) as _time by src_user DSRGetChanges_user permissions_applied, SubjectLogonId, DSName + | rename SubjectLogonId as TargetLogonId, src_user as initiator, DSRGetChanges_user as target_user + | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] + | stats min(_time) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(target_user) as user, values(Computer) as dest, values(permissions_applied) as permissions_applied, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType by TargetLogonId + ``` uncomment to enable SID lookups as required + | lookup identity_lookup_expanded objectSid as user OUTPUT downLevelDomainName as translated_user + | lookup admon_groups_def objectSid as user OUTPUT cn as group_user + | eval user=if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}") AND translated_user like "%" OR group_user like "%",coalesce(translated_user,group_user),user) + | fields - translated_user group_user + ``` + | eval comment=mvappend(if(isnull(src_ip),"Finding: Rerun search over longer time-range to locate src_ip from the captured TargetLogonId",null),if(match(user, "S-1-[ 0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[ 1-9]\d{3}"),"Finding: Captured SID could not be found in A&I lookup, ensure A&I lookup is configured, also check potential group SIDs for a match",null)) | `windows_ad_domain_replication_acl_addition_filter`' how_to_implement: To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` @@ -55,21 +63,19 @@ tags: type: User role: - Victim - - name: dest - type: Hostname - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud required_fields: - _time - - dest + - OperationType - src_user - AttributeLDAPDisplayName - AttributeValue - ObjectClass + - SubjectLogonId + - DSName risk_score: 80 security_domain: endpoint manual_test: This search uses a lookup provided by Enterprise Security and needs to be manually tested. diff --git a/dist/DA-ESS-ContentUpdate/default/transforms.conf b/dist/DA-ESS-ContentUpdate/default/transforms.conf index 0a2ceca735..d519127145 100644 --- a/dist/DA-ESS-ContentUpdate/default/transforms.conf +++ b/dist/DA-ESS-ContentUpdate/default/transforms.conf @@ -47,6 +47,22 @@ case_sensitive_match = false # description = An MLTK model for detecting malicious commandlines min_matches = 1 +[ace_access_rights_lookup] +filename = ace_access_rights_lookup.csv +# description = A lookup file that will contain translations for AD object ace access rights strings + +[ace_control_access_rights_lookup] +filename = ace_control_access_rights_lookup.csv +# description = A lookup file that will contain translations for AD object ace control access rights guids + +[ace_flag_lookup] +filename = ace_flag_lookup.csv +# description = A lookup file that will contain translations for AD object ace flags strings + +[ace_type_lookup] +filename = ace_type_lookup.csv +# description = A lookup file that will contain translations for AD object ace type strings + [advanced_audit_policy_guids] filename = advanced_audit_policy_guids.csv default_match = false diff --git a/lookups/ace_access_rights_lookup.csv b/lookups/ace_access_rights_lookup.csv new file mode 100644 index 0000000000..f99ab07943 --- /dev/null +++ b/lookups/ace_access_rights_lookup.csv @@ -0,0 +1,14 @@ +access_rights_string,access_rights_value +RC,Read permissions +SD,Delete +WD,Modify permissions +WO,Modiy owner +RP,Read all properties +WP,Write all properties +CC,Create all child objects +DC,Delete all child objects +LC,List contents +SW,All validated writes +LO,List objects +DT,Delete subtree +CR,All extended rights diff --git a/lookups/ace_access_rights_lookup.yml b/lookups/ace_access_rights_lookup.yml new file mode 100644 index 0000000000..eb19f3befa --- /dev/null +++ b/lookups/ace_access_rights_lookup.yml @@ -0,0 +1,3 @@ +description: A lookup file that will contain translations for AD object ace access rights strings +filename: ace_access_rights_lookup.csv +name: ace_access_rights_lookup \ No newline at end of file diff --git a/lookups/ace_control_access_rights_lookup.csv b/lookups/ace_control_access_rights_lookup.csv new file mode 100644 index 0000000000..0abc53ca95 --- /dev/null +++ b/lookups/ace_control_access_rights_lookup.csv @@ -0,0 +1,63 @@ +control_access_rights_value,control_access_rights_guid +Abandon-Replication,ee914b82-0a98-11d1-adbb-00c04fd8d5cd +Add-GUID,440820ad-65b4-11d1-a3da-0000f875ae0d +Allocate-Rids,1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd +Allowed-To-Authenticate,68b1d179-0d15-4d4f-ab71-46152e79a7bc +Apply-Group-Policy,edacfd8f-ffb3-11d1-b41d-00a0c968f939 +Certificate-Enrollment,0e10c968-78fb-11d2-90d4-00c04f79dc55 +Certificate-AutoEnrollment,a05b8cc2-17bc-4802-a710-e7c15ab866a2 +Change-Domain-Master,014bf69c-7b3b-11d1-85f6-08002be74fab +Change-Infrastructure-Master,cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd +Change-PDC,bae50096-4752-11d1-9052-00c04fc2d4cf +Change-Rid-Master,d58d5f36-0a98-11d1-adbb-00c04fd8d5cd +Change-Schema-Master,e12b56b6-0a95-11d1-adbb-00c04fd8d5cd +Create-Inbound-Forest-Trust,e2a36dc9-ae17-47c3-b58b-be34c55ba633 +Do-Garbage-Collection,fec364e0-0a98-11d1-adbb-00c04fd8d5cd +Domain-Administer-Server,ab721a52-1e2f-11d0-9819-00aa0040529b +DS-Check-Stale-Phantoms,69ae6200-7f46-11d2-b9ad-00c04f79f805 +DS-Execute-Intentions-Script,2f16c4a5-b98e-432c-952a-cb388ba33f2e +DS-Install-Replica,9923a32a-3607-11d2-b9be-0000f87a36b2 +DS-Query-Self-Quota,4ecc03fe-ffc0-4947-b630-eb672a8a9dbc +DS-Replication-Get-Changes,1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 +DS-Replication-Get-Changes-All,1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 +DS-Replication-Get-Changes-In-Filtered-Set,89e95b76-444d-4c62-991a-0facbeda640c +DS-Replication-Manage-Topology,1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 +DS-Replication-Monitor-Topology,f98340fb-7c5b-4cdb-a00b-2ebdfa115a96 +DS-Replication-Synchronize,1131f6ab-9c07-11d1-f79f-00c04fc2dcd2 +Enable-Per-User-Reversibly-Encrypted-Password,05c74c5e-4deb-43b4-bd9f-86664c2a7fd5 +Generate-RSoP-Logging,b7b1b3de-ab09-4242-9e30-9980e5d322f7 +Generate-RSoP-Planning,b7b1b3dd-ab09-4242-9e30-9980e5d322f7 +Manage-Optional-Features,7c0e2a7c-a419-48e4-a995-10180aad54dd +Migrate-SID-History,ba33815a-4f93-4c76-87f3-57574bff8109 +msmq-Open-Connector,b4e60130-df3f-11d1-9c86-006008764d0e +msmq-Peek,06bd3201-df3e-11d1-9c86-006008764d0e +msmq-Peek-computer-Journal,4b6e08c3-df3c-11d1-9c86-006008764d0e +msmq-Peek-Dead-Letter,4b6e08c1-df3c-11d1-9c86-006008764d0e +msmq-Receive,06bd3200-df3e-11d1-9c86-006008764d0e +msmq-Receive-computer-Journal,4b6e08c2-df3c-11d1-9c86-006008764d0e +msmq-Receive-Dead-Letter,4b6e08c0-df3c-11d1-9c86-006008764d0e +msmq-Receive-journal,06bd3203-df3e-11d1-9c86-006008764d0e +msmq-Send,06bd3202-df3e-11d1-9c86-006008764d0e +Open-Address-Book,a1990816-4298-11d1-ade2-00c04fd8d5cd +Read-Only-Replication-Secret-Synchronization,1131f6ae-9c07-11d1-f79f-00c04fc2dcd2 +Reanimate-Tombstones,45ec5156-db7e-47bb-b53f-dbeb2d03c40f +Recalculate-Hierarchy,0bc1554e-0a99-11d1-adbb-00c04fd8d5cd +Recalculate-Security-Inheritance,62dd28a8-7f46-11d2-b9ad-00c04f79f805 +Receive-As,ab721a56-1e2f-11d0-9819-00aa0040529b +Refresh-Group-Cache,9432c620-033c-4db7-8b58-14ef6d0bf477 +Reload-SSL-Certificate,1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8 +Run-Protect_Admin_Groups-Task,7726b9d5-a4b4-4288-a6b2-dce952e80a7f +SAM-Enumerate-Entire-Domain,91d67418-0135-4acc-8d79-c08e857cfbec +Send-As,ab721a54-1e2f-11d0-9819-00aa0040529b +Send-To,ab721a55-1e2f-11d0-9819-00aa0040529b +Unexpire-Password,ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501 +Update-Password-Not-Required-Bit,280f369c-67c7-438e-ae98-1d46f3c6f541 +Update-Schema-Cache,be2bb760-7f46-11d2-b9ad-00c04f79f805 +User-Change-Password,ab721a53-1e2f-11d0-9819-00aa0040529b +User-Force-Change-Password,00299570-246d-11d0-a768-00aa006e0529 +DS-Clone-Domain-Controller,3e0f7e18-2c7a-4c10-ba82-4d926db99a3e +DS-Read-Partition-Secrets,084c93a2-620d-4879-a836-f0ae47de0e89 +DS-Write-Partition-Secrets,94825a8d-b171-4116-8146-1e34d8f54401 +DS-Set-Owner,4125c71f-7fac-4ff0-bcb7-f09a41325286 +DS-Bypass-Quota,88a9933e-e5c8-4f2a-9dd7-2527416b8092 +DS-Validated-Write-Computer,9b026da6-0d3c-465c-8bee-5199d7165cba diff --git a/lookups/ace_control_access_rights_lookup.yml b/lookups/ace_control_access_rights_lookup.yml new file mode 100644 index 0000000000..8c41c10729 --- /dev/null +++ b/lookups/ace_control_access_rights_lookup.yml @@ -0,0 +1,3 @@ +description: A lookup file that will contain translations for AD object ace control access rights guids +filename: ace_control_access_rights_lookup.csv +name: ace_control_access_rights_lookup \ No newline at end of file diff --git a/lookups/ace_flag_lookup.csv b/lookups/ace_flag_lookup.csv new file mode 100644 index 0000000000..d75b504793 --- /dev/null +++ b/lookups/ace_flag_lookup.csv @@ -0,0 +1,10 @@ +flag_string,flag_value +CI,Container inherit +OI,Object inherit +NP,No propagate +IO,Inherit only +ID,Inherited +SA,Audit success +FA,Audit failure +TP,Trust protected filter +CR,Critical diff --git a/lookups/ace_flag_lookup.yml b/lookups/ace_flag_lookup.yml new file mode 100644 index 0000000000..90a0cacef1 --- /dev/null +++ b/lookups/ace_flag_lookup.yml @@ -0,0 +1,3 @@ +description: A lookup file that will contain translations for AD object ace flags strings +filename: ace_flag_lookup.csv +name: ace_flag_lookup.yml \ No newline at end of file diff --git a/lookups/ace_type_lookup.csv b/lookups/ace_type_lookup.csv new file mode 100644 index 0000000000..2e90ecca3c --- /dev/null +++ b/lookups/ace_type_lookup.csv @@ -0,0 +1,18 @@ +ace_type_string,ace_type_value +A,Access allowed +D,Access denied +OA,Object access allowed +OD,Object access denied +AU,Audit +AL,Alarm +OU,Object audit +OL,Object alarm +ML,Mandatory label +XA,Callback access allowed +XD,Callback access denied +RA,Resource attribute +SP,Scoped policy ID +XU,Callback audit +ZA,Callback object access allowed +TL,Process trust label +FL,Access filter diff --git a/lookups/ace_type_lookup.yml b/lookups/ace_type_lookup.yml new file mode 100644 index 0000000000..ce9a833964 --- /dev/null +++ b/lookups/ace_type_lookup.yml @@ -0,0 +1,3 @@ +description: A lookup file that will contain translations for AD object ace type strings +filename: ace_type_lookup.csv +name: ace_type_lookup \ No newline at end of file