Detection rules › By event
Microsoft-Windows-Security-Auditing Event ID 5136
Sigma (20)
- Active Directory User Backdoors
- AdminSDHolder permissions changed for persistence
- Computer account manipulation for delegation (RBCD)
- Computer account modifying Active Directory permissions
- Computer account modifying Active Directory permissions (PrivExchange)
- Extended rights backdoor obfuscation (via localizationDisplayId attribute)
- Group Policy Abuse for Privilege Addition
- Permissions changed on a Group Policy (GPO)
- Persistence and Execution at Scale via GPO Scheduled Task
- Possible DC Shadow Attack
- Possible Shadow Credentials Added
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Powerview Add-DomainObjectAcl DCSync AD Extend Right
- Replication privileges granted to perform DCSync attack
- Startup/Logon Script Added to Group Policy Object
- Suspicious LDAP-Attributes Used
- Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services)
- Suspicious modification of a sensitive Group Policy (GPO)
- Suspicious modification of a user account SPN to enable Kerberoast attack
- Windows Default Domain GPO Modification
Elastic (11)
- Account Configured with Never-Expiring Password
- AdminSDHolder Backdoor
- AdminSDHolder SDProp Exclusion Added
- Delegated Managed Service Account Modification by an Unusual User
- Group Policy Abuse for Privilege Addition
- Modification of the msPKIAccountCredentials
- Potential Active Directory Replication Account Backdoor
- Potential Shadow Credentials added to AD Object
- Scheduled Task Execution at Scale via GPO
- Startup/Logon Script added to Group Policy Object
- User account exposed to Kerberoasting
Splunk (24)
- Modify Group Policy (Windows Event Log)
- Windows AD AdminSDHolder ACL Modified
- Windows AD Dangerous Deny ACL Modification
- Windows AD Dangerous Group ACL Modification
- Windows AD Dangerous User ACL Modification
- Windows AD DCShadow Privileges ACL Addition
- Windows AD Domain Replication ACL Addition
- Windows AD Domain Root ACL Deletion
- Windows AD Domain Root ACL Modification
- Windows AD GPO Deleted
- Windows AD GPO Disabled
- Windows AD GPO New CSE Addition
- Windows AD Hidden OU Creation
- Windows AD Object Owner Updated
- Windows AD Self DACL Assignment
- Windows AD ServicePrincipalName Added To Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD SID History Attribute Modified
- Windows AD Suspicious Attribute Modification
- Windows Default Group Policy Object Modified
- Windows Group Policy Object Created
- Windows Kerberos Coercion via DNS
- Windows Short Lived DNS Record