Detection rules › By event
Microsoft-Windows-Security-Auditing event 5136
Sigma (10)
- Active Directory User Backdoors
- Group Policy Abuse for Privilege Addition
- Persistence and Execution at Scale via GPO Scheduled Task
- Possible DC Shadow Attack
- Possible Shadow Credentials Added
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Powerview Add-DomainObjectAcl DCSync AD Extend Right
- Startup/Logon Script Added to Group Policy Object
- Suspicious LDAP-Attributes Used
- Windows Default Domain GPO Modification
Elastic (11)
- Account Configured with Never-Expiring Password
- AdminSDHolder Backdoor
- AdminSDHolder SDProp Exclusion Added
- Delegated Managed Service Account Modification by an Unusual User
- Group Policy Abuse for Privilege Addition
- Modification of the msPKIAccountCredentials
- Potential Active Directory Replication Account Backdoor
- Potential Shadow Credentials added to AD Object
- Scheduled Task Execution at Scale via GPO
- Startup/Logon Script added to Group Policy Object
- User account exposed to Kerberoasting
Splunk (23)
- Windows AD AdminSDHolder ACL Modified
- Windows AD Dangerous Deny ACL Modification
- Windows AD Dangerous Group ACL Modification
- Windows AD Dangerous User ACL Modification
- Windows AD DCShadow Privileges ACL Addition
- Windows AD Domain Replication ACL Addition
- Windows AD Domain Root ACL Deletion
- Windows AD Domain Root ACL Modification
- Windows AD GPO Deleted
- Windows AD GPO Disabled
- Windows AD GPO New CSE Addition
- Windows AD Hidden OU Creation
- Windows AD Object Owner Updated
- Windows AD Self DACL Assignment
- Windows AD ServicePrincipalName Added To Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD SID History Attribute Modified
- Windows AD Suspicious Attribute Modification
- Windows Default Group Policy Object Modified
- Windows Group Policy Object Created
- Windows Kerberos Coercion via DNS
- Windows Short Lived DNS Record