This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Process.DirectorySdSddl
The event property Process.DirectorySdSddl
is a powerful tool: it makes the file system permissions of a process’ directory available for regex matching and rule evaluation.
Overview
Whenever an event occurs, uberAgent ESA checks if the event property Process.DirectorySdSddl
is configured in at least one Threat Detection rule. If that is the case, uberAgent ESA does the following:
- determine the directory of the process executable
- read the directory’s security descriptor (SD)
- convert the SD to the SDDL string format
- in the SDDL string, replace SIDs with user/group names
- in the SDDL string, replace hex access masks with readable permissions strings
- match the resulting string against the rule’s regex
Security Descriptor Components
Security Descriptors are structures that contain multiple components, some of which are optional:
- Owner
- Primary group (rarely used, if at all)
- DACL (permissions)
- SACL (auditing configuration)
- Attributes (claims)
- Mandatory integrity label
- Scoped policy ID
uberAgent ESA retrieves all of the SD components shown above.
How It Works in Detail
Converting the SD to the SDDL String Format
Security descriptors are binary structures. In order for humans to read or regular expressions to match their contents, SDs must be converted to strings. Microsoft established a common format for that purpose, the Security Descriptor Definition Language.
uberAgent ESA converts all the security descriptor components to SDDL, but it does not stop there because SDDL has shortcomings.
Converting User/Group SIDs to Names
SDDL strings are more or less 1:1 representations of the binary SD structure. This means that, with very few exceptions, users and groups are not shown by their names, but by their SIDs, for example S-1-5-21-3803133166-2955000686-238773884-1029
. Such a SID string is not very useful for regex matching, so uberAgent goes ahead and converts it to the well-known domain\user
format before performing the regex matching.
Converting Hex Access Masks to Permission Strings
The same is true for access masks, which store the actual permission in a 32-bit unsigned integer. In a raw SDDL string, an access mask might look like this: 0x1200a9
. That is not very useful for regex matching because multiple permissions can be combined in one access mask through bitwise OR. Again, uberAgent does the heavy lifting by converting access masks to a string format that is processed easily: SetACL’s. With this conversion, the cryptic access mask 0x1200a9
becomes the easily understandable string read_execute
.
If an access mask contains a combination of multiple individual permissions, uberAgent’s SetACL string lists all the individual permission names separated by commas.
Example
SDDL string for C:\Windows\System32
as obtained by the Windows API before uberAgent ESA’s simplifications:
O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)S:AINO_ACCESS_CONTROL
The same string after uberAgent ESA replaced SIDs with names:
O:NT SERVICE\TrustedInstallerG:NT SERVICE\TrustedInstallerD:PAI(A;;FA;;;NT SERVICE\TrustedInstaller)(A;CIIO;GA;;;NT SERVICE\TrustedInstaller)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)(A;OICIIO;GXGR;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)S:AINO_ACCESS_CONTROL
The same string after uberAgent ESA additionally replaced hex access masks with permission strings:
O:NT SERVICE\TrustedInstallerG:NT SERVICE\TrustedInstallerD:PAI(A;;full;;;NT SERVICE\TrustedInstaller)(A;CIIO;full;;;NT SERVICE\TrustedInstaller)(A;;change;;;SY)(A;OICIIO;full;;;SY)(A;;change;;;BA)(A;OICIIO;full;;;BA)(A;;read_execute;;;BU)(A;OICIIO;read_execute;;;BU)(A;OICIIO;full;;;CO)(A;;read_execute;;;AC)(A;OICIIO;read_execute;;;AC)(A;;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)(A;OICIIO;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)S:AINO_ACCESS_CONTROL
Deconstructing the SDDL String
Here is a quick explanation of the security descriptor string format. For the full specifications please see Microsoft’s documentation.
Split into the SD’s components, the SDDL string from the example above is already much more readable:
O:NT SERVICE\TrustedInstaller
G:NT SERVICE\TrustedInstaller
D:PAI(A;;full;;;NT SERVICE\TrustedInstaller)(A;CIIO;full;;;NT SERVICE\TrustedInstaller)(A;;change;;;SY)(A;OICIIO;full;;;SY)(A;;change;;;BA)(A;OICIIO;full;;;BA)(A;;read_execute;;;BU)(A;OICIIO;read_execute;;;BU)(A;OICIIO;full;;;CO)(A;;read_execute;;;AC)(A;OICIIO;read_execute;;;AC)(A;;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)(A;OICIIO;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)
S:AINO_ACCESS_CONTROL
As you can see, the four main components of a security descriptor are prepended by the following:
-
O:
: owner -
G:
: primary group -
D:
: DACL -
S:
: SACL
The DACL part of an SDDL string is a concatenation of access control entries (ACEs), each wrapped in parentheses. In this example, there are 13 ACEs in the ACL:
(A;;full;;;NT SERVICE\TrustedInstaller)
(A;CIIO;full;;;NT SERVICE\TrustedInstaller)
(A;;change;;;SY)
(A;OICIIO;full;;;SY)
(A;;change;;;BA)
(A;OICIIO;full;;;BA)
(A;;read_execute;;;BU)
(A;OICIIO;read_execute;;;BU)
(A;OICIIO;full;;;CO)
(A;;read_execute;;;AC)
(A;OICIIO;read_execute;;;AC)
(A;;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)
(A;OICIIO;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)
Please see Microsoft’s documentation for an explanation of the ACE properties.
Logging
As you saw above, SDDL strings can be complex. When writing regular expressions to match them, you need to know what you are dealing with. In other words, you need log samples.
Tip: while working on a Threat Detection rule involving the security descriptor, set the rule’s VerboseLogging config element to true
. With verbose logging enabled, uberAgent’s write messages like the following to its log file:
GetPermissionsSddl,Read the SD of <\\?\C:\WINDOWS\System32>:
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.