Detection rules › Splunk
Windows AD Object Owner Updated
AD Object Owner Updated. The owner provides Full control level privileges over the target AD Object. This event has significant impact alone and is also a precursor activity for hiding an AD object.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484 Domain or Tenant Policy Modification |
| Defense Evasion | T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484 Domain or Tenant Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search EventCode=5136
Stage 2: stats
stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId, DSName
Stage 3: rex
rex field=old_value ...
Stage 4: rex
rex field=new_value ...
Stage 5: where
where old_owner!=
Stage 6: lookup
lookup <lookup> builtin_group_name, builtin_group_string, new_owner_group, new_owner_group_builtin_group
Stage 7: lookup
lookup <lookup> builtin_group_name, builtin_group_string, old_owner, old_owner_group_builtin_group
Stage 8: eval
eval ... using (new_owner, new_owner_group, new_owner_group_builtin_group, new_owner_user, old_owner, old_owner_group, old_owner_group_builtin_group, old_owner_user)
Stage 9: stats
stats BY _time, ObjectClass, ObjectDN, src_user, OpCorrelationID, DSName
Stage 10: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows AD GPO Disabled (adds 3 filters)
- Windows AD ServicePrincipalName Added To Domain Account (adds 3 filters)
- Windows Default Group Policy Object Modified (adds 3 filters)
- Windows AD AdminSDHolder ACL Modified (adds 2 filters)
- Windows AD GPO New CSE Addition (adds 2 filters)
- Windows AD SID History Attribute Modified (adds 2 filters)
- Windows AD Suspicious Attribute Modification (adds 2 filters)
- Windows AD Dangerous Group ACL Modification (adds 1 filter)
- Windows AD Dangerous User ACL Modification (adds 1 filter)
- Windows AD DCShadow Privileges ACL Addition (adds 1 filter)
- Windows AD Domain Replication ACL Addition (adds 1 filter)
- Windows AD Domain Root ACL Deletion (adds 1 filter)
- Windows AD Domain Root ACL Modification (adds 1 filter)
- Windows AD GPO Deleted (adds 1 filter)
- Windows AD Hidden OU Creation (adds 1 filter)
- Windows AD Short Lived Domain Account ServicePrincipalName (adds 1 filter)