Skip to content

DC0066 Active Directory Object Modification

Item Value
ID DC0066
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
azure:activity Update conditionalAccessPolicy
azure:signinlogs Add certificate credential, Update certificate credential
esxi:vpxa vim.SessionManager.login / vim.AccountManager.createUser
esxi:vpxd permission change operations on datastores or VMs
m365:dirsync Replication cookie changes involving Configuration partition with new server/nTDSDSA objects.
m365:unified Set-Mailbox, Set-AppPassword, Add-MailboxPermission
m365:unified Add app role assignment grant to user: Consent to application by privileged or unexpected accounts
WinEventLog:Security EventCode=5163
WinEventLog:Security EventCode=4739
WinEventLog:Security EventCode=5136
WinEventLog:Security EventCode=4663, 4670, 4656

Detection Strategy

ID Name Technique Detected
DET0096 Account Manipulation Behavior Chain Detection T1098
DET0283 Behavior-chain detection for T1134 Access Token Manipulation on Windows T1134
DET0456 Behavior-chain detection for T1134.002 Create Process with Token (Windows) T1134.002
DET0136 Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows) T1134.005
DET0030 Detect Conditional Access Policy Modification in Identity and Cloud Platforms T1556.009
DET0293 Detect Hybrid Identity Authentication Process Modification T1556.007
DET0190 Detect MFA Modification or Disabling Across Platforms T1556.006
DET0589 Detect Modification of Authentication Process via Reversible Encryption T1556.005
DET0270 Detection of Domain or Tenant Policy Modifications via AD and Identity Provider T1484
DET0305 Detection of Group Policy Modifications via AD Object Changes and File Activity T1484.001
DET0458 Detection of Trust Relationship Modifications in Domain or Tenant Policies T1484.002
DET0531 Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS T1098.001
DET0539 Detection Strategy for Cloud Application Integration T1671
DET0276 Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse T1207
DET0240 Detection Strategy for Steal or Forge Authentication Certificates T1649
DET0299 Multi-Platform File and Directory Permissions Modification Detection Strategy T1222
DET0418 Windows DACL Manipulation Behavioral Chain Detection Strategy T1222.001