Skip to content

Hide Navigation Hide TOC

Active Directory Object Deletion (9085a576-636a-455b-91d2-c2921bbe6d1d)

Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples:

  • User Account: Deleted user.
  • Group: Deleted security/distribution group.
  • Organizational Unit (OU): Loss of configurations or policies.
  • Service Account: Disrupted operations or cover tracks.
  • Trust Object: Removed domain trust, disrupting connectivity.

Data Collection Measures:

  • Audit Policy:
    • Enable "Audit Directory Service Changes" (Success and Failure).
    • Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
    • Key Event: Event ID 5141.
  • Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
  • Enable EDR Monitoring:
    • Detect processes or users that initiate unauthorized object deletions.
    • Monitor tools and scripts that may delete key directory objects.
Cluster A Galaxy A Cluster B Galaxy B Level
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Active Directory Object Deletion (9085a576-636a-455b-91d2-c2921bbe6d1d) mitre-data-component 1
Active Directory Object Deletion (9085a576-636a-455b-91d2-c2921bbe6d1d) mitre-data-component Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2