Active Directory Object Modification

Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:

User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts).
Group Membership: Adding/removing members.
OU: Changing properties/permissions (e.g., delegation).
Service Account: Modifying SPNs or other attributes.
Object Attributes: Changes to passwords, logon hours, or control flags.

Data Collection Measures:

Audit Policy:
- Enable "Audit Directory Service Changes" (Success and Failure).
- Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
- Key Events: 5136 (modifications), 5163 (attribute changes).
Log Forwarding:
- Use WEF to centralize logs for SIEM.
- Parse logs to extract: Object Name, Attribute Changed, Initiator Account Name.
Enable EDR Monitoring:
- Detect changes to critical attributes (e.g., memberOf, logonHours).
- Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).
Enable EDR Monitoring:
- Detect changes to critical attributes (e.g., memberOf, logonHours).
- Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).

ID: DC0066

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 22 October 2025

Log Sources

Name	Channel
azure:activity	Update conditionalAccessPolicy
azure:SigninLogs	Add certificate credential, Update certificate credential
esxi:vpxa	vim.SessionManager.login / vim.AccountManager.createUser
esxi:vpxd	permission change operations on datastores or VMs
m365:dirsync	Replication cookie changes involving Configuration partition with new server/nTDSDSA objects.
m365:unified	Set-Mailbox, Set-AppPassword, Add-MailboxPermission
m365:unified	Add app role assignment grant to user: Consent to application by privileged or unexpected accounts
WinEventLog:DirectoryService	EventCode=5136
WinEventLog:Security	EventCode=5136
WinEventLog:Security	EventCode=4739
WinEventLog:Security	EventCode=4663
WinEventLog:Security	EventCode=4670

ID	Name	Technique Detected
DET0096	Account Manipulation Behavior Chain Detection	T1098
DET0283	Behavior-chain detection for T1134 Access Token Manipulation on Windows	T1134
DET0456	Behavior-chain detection for T1134.002 Create Process with Token (Windows)	T1134.002
DET0136	Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)	T1134.005
DET0030	Detect Conditional Access Policy Modification in Identity and Cloud Platforms	T1556.009
DET0293	Detect Hybrid Identity Authentication Process Modification	T1556.007
DET0190	Detect MFA Modification or Disabling Across Platforms	T1556.006
DET0589	Detect Modification of Authentication Process via Reversible Encryption	T1556.005
DET0270	Detection of Domain or Tenant Policy Modifications via AD and Identity Provider	T1484
DET0305	Detection of Group Policy Modifications via AD Object Changes and File Activity	T1484.001
DET0458	Detection of Trust Relationship Modifications in Domain or Tenant Policies	T1484.002
DET0531	Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS	T1098.001
DET0539	Detection Strategy for Cloud Application Integration	T1671
DET0276	Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse	T1207
DET0240	Detection Strategy for Steal or Forge Authentication Certificates	T1649
DET0299	Multi-Platform File and Directory Permissions Modification Detection Strategy	T1222
DET0418	Windows DACL Manipulation Behavioral Chain Detection Strategy	T1222.001