Detection rules › Splunk
Windows AD Hidden OU Creation
This analytic is looking for when an ACL is applied to an OU which denies listing the objects residing in the OU. This activity combined with modifying the owner of the OU will hide AD objects even from domain administrators.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484 Domain or Tenant Policy Modification |
| Defense Evasion | T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484 Domain or Tenant Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search EventCode=5136 ObjectClass="organizationalUnit"
Stage 2: stats
stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId
Stage 3: rex
rex field=old_value ...
Stage 4: rex
rex field=new_value ...
Stage 5: mvexpand
mvexpand
Stage 6: where
where NOT new_ace="old_values"
Stage 7: rex
rex field=new_ace ...
Stage 8: rex
rex field=aceAccessRights ...
Stage 9: rex
rex field=aceFlags ...
Stage 10: lookup
lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid
Stage 11: lookup
lookup <lookup> AccessRights, access_rights_string, access_rights_value
Stage 12: lookup
lookup <lookup> aceType, ace_type_string, ace_type_value
Stage 13: lookup
lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value
Stage 14: lookup
lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string
Stage 15: eval
eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)
Stage 16: stats
stats BY _time, ObjectClass, ObjectDN, src_user, SubjectLogonId, user, OpCorrelationID
Stage 17: eval
eval ...
Stage 18: search
search aceAccessRights IN ("List contents", "List objects", "LC", "LO") aceType IN ("Access denied", "D")
Stage 19: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | new_ace | eq | old_values |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ObjectClass | eq |
|
aceAccessRights | in |
|
aceType | in |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows AD Dangerous Deny ACL Modification (drops 1 filter this rule applies)
- Windows AD Object Owner Updated (drops 1 filter this rule applies)
- Windows AD Self DACL Assignment (drops 1 filter this rule applies)