Detection rules › Splunk
Windows AD Domain Root ACL Deletion
ACL deletion performed on the domain root object, significant AD change with high impact. Following MS guidance all changes at this level should be reviewed. Drill into the logonID within EventCode 4624 for information on the source device during triage.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484 Domain or Tenant Policy Modification |
| Defense Evasion | T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484 Domain or Tenant Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search EventCode=5136 ObjectClass="domainDNS"
Stage 2: stats
stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId
Stage 3: rex
rex field=old_value ...
Stage 4: rex
rex field=new_value ...
Stage 5: mvexpand
mvexpand
Stage 6: where
where NOT old_values="new_values"
Stage 7: rex
rex field=old_values ...
Stage 8: rex
rex field=aceAccessRights ...
Stage 9: rex
rex field=aceFlags ...
Stage 10: lookup
lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid
Stage 11: lookup
lookup <lookup> AccessRights, access_rights_string, access_rights_value
Stage 12: lookup
lookup <lookup> aceType, ace_type_string, ace_type_value
Stage 13: lookup
lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value
Stage 14: lookup
lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string
Stage 15: eval
eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)
Stage 16: stats
stats BY _time, ObjectClass, ObjectDN, src_user, SubjectLogonId, user, OpCorrelationID
Stage 17: eval
eval ...
Stage 18: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | old_values | eq | new_values |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ObjectClass | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows AD Dangerous Deny ACL Modification (drops 1 filter this rule applies)
- Windows AD Object Owner Updated (drops 1 filter this rule applies)
- Windows AD Self DACL Assignment (drops 1 filter this rule applies)