detection.wiki

Microsoft-Windows-Security-Auditing › Event 5136

Event ID 5136 — A directory service object was modified.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
DS Access → Directory Service Changes
Collection Priority
Recommended (NSA, others)
Opcode
Info

Description

A directory service object was modified.

Message #

A directory service object was modified.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6

Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Attribute:
	LDAP Display Name: %12
	Syntax (OID): %13
	Value: %14
	
Operation:
	Type: %15
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

NameDescription
OpCorrelationID GUID[Operation] Correlation ID
AppCorrelationID UnicodeString[Operation] Application Correlation ID
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
DSName UnicodeString[Directory Service] Name
DSType UnicodeString[Directory Service] Type
Known values
%%14676
Active Directory Domain Services
%%14677
Active Directory Lightweight Directory Services
ObjectDN UnicodeString[Object] DN
ObjectGUID GUID[Object] GUID
ObjectClass UnicodeString[Object] Class
AttributeLDAPDisplayName UnicodeString[Attribute] LDAP Display Name
AttributeSyntaxOID UnicodeString[Attribute] Syntax (OID)
AttributeValue UnicodeString[Attribute] Value
OperationType UnicodeString[Operation] Type
Known values
%%1904
New registry value created
%%1905
Existing registry value modified
%%1906
Registry value deleted
%%14674
Value Added
%%14675
Value Deleted
%%14680
Value Added With Expiration Time
%%14681
Value Deleted With Expiration Time
%%14688
Value Auto Deleted With Expiration Time

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5136,
    "version": 0,
    "level": 0,
    "task": 14081,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2019-03-25T10:33:56.457629Z",
    "event_record_id": 198238043,
    "correlation": {},
    "execution": {
      "process_id": 444,
      "thread_id": 3488
    },
    "channel": "Security",
    "computer": "DC1.insecurebank.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OpCorrelationID": "780EA6E1-6307-48D6-8B0D-8C45CC7534AE",
    "AppCorrelationID": "-",
    "SubjectUserSid": "S-1-5-21-738609754-2819869699-4189121830-1108",
    "SubjectUserName": "bob",
    "SubjectDomainName": "insecurebank",
    "SubjectLogonId": "0x8d7099",
    "DSName": "insecurebank.local",
    "DSType": "%%14676",
    "ObjectDN": "CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=INSECUREBANK,DC=LOCAL",
    "ObjectGUID": "6CDECDB5-7515-4511-8141-C34A7C3D4A0A",
    "ObjectClass": "groupPolicyContainer",
    "AttributeLDAPDisplayName": "versionNumber",
    "AttributeSyntaxOID": "2.5.5.9",
    "AttributeValue": "5",
    "OperationType": "%%14675"
  }
}

Detection Patterns #

Defense Evasion: Rogue Domain Controller

Security-Auditing Event ID 4742: A computer account was changed.OREvent ID 5136: A directory service object was modified.
1 rule

Sigma

Possible DC Shadow Attack (source)
Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah

Community Notes #

May indicate high-impact changes in AD, like adding SID history or malicious GPOs. Attribute change to msDS-AllowedToActOnBehalfOfOtherIdentity is usually suspicious and indicates a Kerberos relay attack.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

  • Powerview Add-DomainObjectAcl DCSync AD Extend Right source high: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
  • Windows Default Domain GPO Modification source medium: Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
  • Group Policy Abuse for Privilege Addition source medium: Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Show 2 more (5 total)

Elastic # view in reference

  • Potential Active Directory Replication Account Backdoor source medium: Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.
  • Potential Shadow Credentials added to AD Object source high: Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.
  • User account exposed to Kerberoasting source medium: Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.
Show 4 more (7 total)
  • AdminSDHolder Backdoor source high: Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.
  • AdminSDHolder SDProp Exclusion Added source high: Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.
  • Delegated Managed Service Account Modification by an Unusual User source high: Detects modifications in the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an unusual subject account. Attackers can abuse this attribute to take over the permission of a target account and inherit it's permissions allowing them to further elevate privileges.
  • Modification of the msPKIAccountCredentials source medium: Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Splunk # view in reference

  • Windows AD AdminSDHolder ACL Modified source: The following analytic detects modifications to the Access Control List (ACL) of the AdminSDHolder object in a Windows domain, specifically the addition of new rules. It leverages EventCode 5136 from the Security Event Log, focusing on changes to the nTSecurityDescriptor attribute. This activity is significant because the AdminSDHolder object secures privileged group members, and unauthorized changes can allow attackers to establish persistence and escalate privileges. If confirmed malicious, this could enable an attacker to control domain-level permissions, compromising the entire Active Directory environment.
  • Windows AD Dangerous Deny ACL Modification source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies permissions that deny the ability to enumerate permissions of the object.
  • Windows AD Dangerous Group ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory group object: "Full control", "All extended rights", "All validated writes", "Create all child objects", "Delete all child objects", "Delete subtree", "Delete", "Modify permissions", "Modify owner", and "Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.
Show 17 more (20 total)
  • Windows AD Dangerous User ACL Modification source: This detection monitors the addition of the following ACLs to an Active Directory user object: "Full control","All extended rights","All validated writes", "Create all child objects","Delete all child objects","Delete subtree","Delete","Modify permissions","Modify owner","Write all properties". Such modifications can indicate potential privilege escalation or malicious activity. Immediate investigation is recommended upon alert.
  • Windows AD DCShadow Privileges ACL Addition source: This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.
  • Windows AD Domain Replication ACL Addition source: The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.
  • Windows AD Domain Root ACL Deletion source: ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.
  • Windows AD Domain Root ACL Modification source: ACL modification performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.
  • Windows AD GPO Deleted source: This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.
  • Windows AD GPO Disabled source: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.
  • Windows AD GPO New CSE Addition source: This detection identifies when a a new client side extension is added to an Active Directory Group Policy using the Group Policy Management Console.
  • Windows AD Hidden OU Creation source: This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.
  • Windows AD Object Owner Updated source: AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.
  • Windows AD Self DACL Assignment source: Detect when a user creates a new DACL in AD for their own AD object.
  • Windows AD ServicePrincipalName Added To Domain Account source: The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.
  • Windows AD Short Lived Domain Account ServicePrincipalName source: The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.
  • Windows AD Short Lived Domain Controller SPN Attribute source: The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.↳ also matches:Event ID 4624: An account was successfully logged on.
  • Windows AD SID History Attribute Modified source: The following analytic detects modifications to the SID History attribute in Active Directory by leveraging event code 5136. This detection uses logs from the `wineventlog_security` data source to identify changes to the sIDHistory attribute. Monitoring this activity is crucial as the SID History attribute can be exploited by adversaries to inherit permissions from other accounts, potentially granting unauthorized access. If confirmed malicious, this activity could allow attackers to maintain persistent access and escalate privileges within the domain, posing a significant security risk.
  • Windows AD Suspicious Attribute Modification source: This detection monitors changes to the following Active Directory attributes: "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink", "scriptPath", and "msTSInitialProgram". Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert.
  • Windows Default Group Policy Object Modified source: The following analytic detects modifications to default Group Policy Objects (GPOs) using Event ID 5136. It monitors changes to the `Default Domain Controllers Policy` and `Default Domain Policy`, which are critical for enforcing security settings across domain controllers and all users/computers, respectively. This activity is significant because unauthorized changes to these GPOs can indicate an adversary with privileged access attempting to deploy persistence mechanisms or execute malware across the network. If confirmed malicious, such modifications could lead to widespread compromise, allowing attackers to maintain control and execute arbitrary code on numerous hosts.

Kusto Query Language # view in reference

  • AdminSDHolder Modifications source high: 'This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory. This query searches for the event id 5136 where the Object DN is AdminSDHolder. Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
  • Possible Resource-Based Constrained Delegation Abuse source medium: 'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'
  • Service Principal Name (SPN) Assigned to User Account source medium: 'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName". Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'
Show 1 more (4 total)
  • Exchange OAB Virtual Directory Attribute Containing Potential Webshell source high: 'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.'

References #