Skip to content

DS0026 Active Directory

A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)1

Item Value
ID DS0026
Platforms Azure AD, Windows
Collection Layers Cloud Control Plane, Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Domain ID Name
enterprise T1615 Group Policy Discovery
enterprise T1003 OS Credential Dumping
enterprise T1003.006 DCSync
enterprise T1033 System Owner/User Discovery

Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

References


  1. Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021. 

  2. Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018. 

  3. Microsoft. (2020, September 16). Azure Active Directory security operations for devices. Retrieved February 21, 2023. 

  4. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  5. Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. 

  6. Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. 

  7. Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. 

  8. Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. 

  9. Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017. 

  10. Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017. 

  11. Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018. 

  12. Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018. 

  13. Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017. 

  14. Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017. 

  15. SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017. 

  16. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017. 

  17. Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017. 

  18. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.