uberAgent

Process.DirectorySdSddl

The event property Process.DirectorySdSddl is a powerful tool: it makes the file system permissions of a process’ directory available for regex matching and rule evaluation.

Overview

Whenever an event occurs, uberAgent ESA checks if the event property Process.DirectorySdSddl is configured in at least one Threat Detection rule. If that is the case, uberAgent ESA does the following:

  1. determine the directory of the process executable
  2. read the directory’s security descriptor (SD)
  3. convert the SD to the SDDL string format
  4. in the SDDL string, replace SIDs with user/group names
  5. in the SDDL string, replace hex access masks with readable permissions strings
  6. match the resulting string against the rule’s regex

Security Descriptor Components

Security Descriptors are structures that contain multiple components, some of which are optional:

  • Owner
  • Primary group (rarely used, if at all)
  • DACL (permissions)
  • SACL (auditing configuration)
  • Attributes (claims)
  • Mandatory integrity label
  • Scoped policy ID

uberAgent ESA retrieves all of the SD components shown above.

How It Works in Detail

Converting the SD to the SDDL String Format

Security descriptors are binary structures. In order for humans to read or regular expressions to match their contents, SDs must be converted to strings. Microsoft established a common format for that purpose, the Security Descriptor Definition Language.

uberAgent ESA converts all the security descriptor components to SDDL, but it does not stop there because SDDL has shortcomings.

Converting User/Group SIDs to Names

SDDL strings are more or less 1:1 representations of the binary SD structure. This means that, with very few exceptions, users and groups are not shown by their names, but by their SIDs, for example S-1-5-21-3803133166-2955000686-238773884-1029. Such a SID string is not very useful for regex matching, so uberAgent goes ahead and converts it to the well-known domain\user format before performing the regex matching.

Converting Hex Access Masks to Permission Strings

The same is true for access masks, which store the actual permission in a 32-bit unsigned integer. In a raw SDDL string, an access mask might look like this: 0x1200a9. That is not very useful for regex matching because multiple permissions can be combined in one access mask through bitwise OR. Again, uberAgent does the heavy lifting by converting access masks to a string format that is processed easily: SetACL’s. With this conversion, the cryptic access mask 0x1200a9 becomes the easily understandable string read_execute.

If an access mask contains a combination of multiple individual permissions, uberAgent’s SetACL string lists all the individual permission names separated by commas.

Example

SDDL string for C:\Windows\System32 as obtained by the Windows API before uberAgent ESA’s simplifications:

O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;S-1-15-2-2)(A;OICIIO;GXGR;;;S-1-15-2-2)S:AINO_ACCESS_CONTROL
<!--NeedCopy-->

The same string after uberAgent ESA replaced SIDs with names:

O:NT SERVICE\TrustedInstallerG:NT SERVICE\TrustedInstallerD:PAI(A;;FA;;;NT SERVICE\TrustedInstaller)(A;CIIO;GA;;;NT SERVICE\TrustedInstaller)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)(A;;0x1200a9;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)(A;OICIIO;GXGR;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)S:AINO_ACCESS_CONTROL
<!--NeedCopy-->

The same string after uberAgent ESA additionally replaced hex access masks with permission strings:

O:NT SERVICE\TrustedInstallerG:NT SERVICE\TrustedInstallerD:PAI(A;;full;;;NT SERVICE\TrustedInstaller)(A;CIIO;full;;;NT SERVICE\TrustedInstaller)(A;;change;;;SY)(A;OICIIO;full;;;SY)(A;;change;;;BA)(A;OICIIO;full;;;BA)(A;;read_execute;;;BU)(A;OICIIO;read_execute;;;BU)(A;OICIIO;full;;;CO)(A;;read_execute;;;AC)(A;OICIIO;read_execute;;;AC)(A;;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)(A;OICIIO;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)S:AINO_ACCESS_CONTROL
<!--NeedCopy-->

Deconstructing the SDDL String

Here is a quick explanation of the security descriptor string format. For the full specifications please see Microsoft’s documentation.

Split into the SD’s components, the SDDL string from the example above is already much more readable:

O:NT SERVICE\TrustedInstaller
G:NT SERVICE\TrustedInstaller
D:PAI(A;;full;;;NT SERVICE\TrustedInstaller)(A;CIIO;full;;;NT SERVICE\TrustedInstaller)(A;;change;;;SY)(A;OICIIO;full;;;SY)(A;;change;;;BA)(A;OICIIO;full;;;BA)(A;;read_execute;;;BU)(A;OICIIO;read_execute;;;BU)(A;OICIIO;full;;;CO)(A;;read_execute;;;AC)(A;OICIIO;read_execute;;;AC)(A;;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)(A;OICIIO;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)
S:AINO_ACCESS_CONTROL
<!--NeedCopy-->

As you can see, the four main components of a security descriptor are prepended by the following:

  • O:: owner
  • G:: primary group
  • D:: DACL
  • S:: SACL

The DACL part of an SDDL string is a concatenation of access control entries (ACEs), each wrapped in parentheses. In this example, there are 13 ACEs in the ACL:

(A;;full;;;NT SERVICE\TrustedInstaller)
(A;CIIO;full;;;NT SERVICE\TrustedInstaller)
(A;;change;;;SY)
(A;OICIIO;full;;;SY)
(A;;change;;;BA)
(A;OICIIO;full;;;BA)
(A;;read_execute;;;BU)
(A;OICIIO;read_execute;;;BU)
(A;OICIIO;full;;;CO)
(A;;read_execute;;;AC)
(A;OICIIO;read_execute;;;AC)
(A;;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)
(A;OICIIO;read_execute;;;APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES)
<!--NeedCopy-->

Please see Microsoft’s documentation for an explanation of the ACE properties.

Logging

As you saw above, SDDL strings can be complex. When writing regular expressions to match them, you need to know what you are dealing with. In other words, you need log samples.

Tip: while working on a Threat Detection rule involving the security descriptor, set the rule’s VerboseLogging config element to true. With verbose logging enabled, uberAgent’s write messages like the following to its log file:

GetPermissionsSddl,Read the SD of <\\?\C:\WINDOWS\System32>:

Process.DirectorySdSddl