1. Home
  2. Data Components
  3. Active Directory Object Creation

Active Directory Object Creation

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:

  • User Account Creation: New user account.
  • Group Creation: New security/distribution group.
  • OU Creation: New organizational unit.
  • Service Account Creation: New service account for automation or malicious tasks.
  • Trust Object Creation: Trust relationship with another domain.

Data Collection Measures:

  • Audit Policy:
    • Enable "Audit Directory Service Changes" (Success and Failure).
    • Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
    • Key Event: Event ID 5137 (object creation).
  • Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
  • Enable EDR Monitoring:
    • Track processes that create new accounts or modify AD objects.
    • Correlate object creation with suspicious commands (e.g., net user /add).
ID: DC0087
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
AWS:CloudTrail CreateAccessKey, ImportKeyPair, CreateLoginProfile, CreateKeyPair
azure:audit New device object creation
WinEventLog:Security Device Object Creation
WinEventLog:Security EventCode=4928

Detection Strategy

ID Name Technique Detected
DET0531 Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS T1098.001
DET0276 Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse T1207
DET0036 Suspicious Device Registration via Entra ID or MFA Platform T1098.005