DC0087 Active Directory Object Creation
| Item | Value |
|---|---|
| ID | DC0087 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | CreateAccessKey, ImportKeyPair, CreateLoginProfile, CreateKeyPair |
| azure:audit | New device object creation |
| WinEventLog:Security | Device Object Creation |
| WinEventLog:Security | EventCode=4928 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0531 | Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS | T1098.001 |
| DET0276 | Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse | T1207 |
| DET0036 | Suspicious Device Registration via Entra ID or MFA Platform | T1098.005 |