detection.wiki

Microsoft-Windows-Security-Auditing › Event 5137

Event ID 5137 — A directory service object was created.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
DS Access → Directory Service Changes
Collection Priority
Recommended (NSA, others)
Opcode
Info

Description

A directory service object was created.

Message #

A directory service object was created.
	
Subject:
	Security ID: %3
	Account Name: %4
	Account Domain: %5
	Logon ID: %6
	
Directory Service:
	Name: %7
	Type: %8
	
Object:
	DN: %9
	GUID: %10
	Class: %11
	
Operation:
	Correlation ID: %1
	Application Correlation ID: %2

Fields #

NameDescription
OpCorrelationID GUID[Operation] Correlation ID
AppCorrelationID UnicodeString[Operation] Application Correlation ID
SubjectUserSid SID[Subject] Security ID
SubjectUserName UnicodeString[Subject] Account Name
SubjectDomainName UnicodeString[Subject] Account Domain
SubjectLogonId HexInt64[Subject] Logon ID
DSName UnicodeString[Directory Service] Name
DSType UnicodeString[Directory Service] Type
Known values
%%14676
Active Directory Domain Services
%%14677
Active Directory Lightweight Directory Services
ObjectDN UnicodeString[Object] DN
ObjectGUID GUID[Object] GUID
ObjectClass UnicodeString[Object] Class

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5137,
    "version": 0,
    "level": 0,
    "task": 14081,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2021-04-27T11:04:13.291038Z",
    "event_record_id": 138520223,
    "correlation": {
      "#attributes": {
        "ActivityID": "9816F041-2BBE-0000-53F0-1698BE2BD701"
      }
    },
    "execution": {
      "process_id": 548,
      "thread_id": 4324
    },
    "channel": "Security",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OpCorrelationID": "B960A203-A3DF-4586-A2ED-740024D6C42A",
    "AppCorrelationID": "-",
    "SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "SubjectUserName": "admmig",
    "SubjectDomainName": "OFFSEC",
    "SubjectLogonId": "0x31a24611",
    "DSName": "offsec.lan",
    "DSType": "%%14676",
    "ObjectDN": "CN=JUMP01,CN=Servers,CN=OFFSEC-PREMISE,CN=Sites,CN=Configuration,DC=offsec,DC=lan",
    "ObjectGUID": "590B1EF4-6143-4C18-B554-1EE0A59BB7F8",
    "ObjectClass": "server"
  }
}

Detection Patterns #

Community Notes #

May indicate high-impact changes in AD.

Detection Rules #

View all rules referencing this event →

Elastic # view in reference

  • Potential ADIDNS Poisoning via Wildcard Record Creation source high: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
  • Potential WPAD Spoofing via DNS Record Creation source medium: Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.
  • Creation of a DNS-Named Record source low: Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.
Show 1 more (4 total)
  • dMSA Account Creation by an Unusual User source high: Detects the creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse the dMSA account migration feature to elevate privileges abusing weak persmission allowing users child objects rights or msDS-DelegatedManagedServiceAccount rights.

References #