Active Directory Object Modification (5b8b466b-2c81-4fe7-946f-d677a74ae3db)
Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:
- User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts).
- Group Membership: Adding/removing members.
- OU: Changing properties/permissions (e.g., delegation).
- Service Account: Modifying SPNs or other attributes.
- Object Attributes: Changes to passwords, logon hours, or control flags.
Data Collection Measures:
- Audit Policy:
- Enable "Audit Directory Service Changes" (Success and Failure).
- Path:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes. - Key Events: 5136 (modifications), 5163 (attribute changes).
- Log Forwarding:
- Use WEF to centralize logs for SIEM.
- Parse logs to extract: Object Name, Attribute Changed, Initiator Account Name.
- Enable EDR Monitoring:
- Detect changes to critical attributes (e.g., memberOf, logonHours).
- Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).
- Enable EDR Monitoring:
- Detect changes to critical attributes (e.g., memberOf, logonHours).
- Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).