Skip to content

DS0026 Active Directory

A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)1

Item Value
ID DS0026
Platforms Azure AD, Windows
Collection Layers Cloud Control Plane, Host
Version 1.0
Created 20 October 2021
Last Modified 30 March 2022

Data Components

Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Domain ID Name
enterprise T1649 Steal or Forge Authentication Certificates
enterprise T1558 Steal or Forge Kerberos Tickets
enterprise T1558.001 Golden Ticket
enterprise T1558.003 Kerberoasting
enterprise T1558.004 AS-REP Roasting
enterprise T1550 Use Alternate Authentication Material
enterprise T1550.002 Pass the Hash
enterprise T1550.003 Pass the Ticket

Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Domain ID Name
enterprise T1615 Group Policy Discovery
enterprise T1003 OS Credential Dumping
enterprise T1003.006 DCSync
enterprise T1033 System Owner/User Discovery

Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Domain ID Name
enterprise T1098 Account Manipulation
enterprise T1098.005 Device Registration
enterprise T1484 Domain Policy Modification
enterprise T1484.001 Group Policy Modification
enterprise T1484.002 Domain Trust Modification
enterprise T1207 Rogue Domain Controller

Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Domain ID Name
enterprise T1484 Domain Policy Modification
enterprise T1484.001 Group Policy Modification

Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

Domain ID Name
enterprise T1134 Access Token Manipulation
enterprise T1134.005 SID-History Injection
enterprise T1531 Account Access Removal
enterprise T1098 Account Manipulation
enterprise T1037 Boot or Logon Initialization Scripts
enterprise T1037.003 Network Logon Script
enterprise T1484 Domain Policy Modification
enterprise T1484.001 Group Policy Modification
enterprise T1484.002 Domain Trust Modification
enterprise T1222 File and Directory Permissions Modification
enterprise T1222.001 Windows File and Directory Permissions Modification
enterprise T1556 Modify Authentication Process
enterprise T1556.005 Reversible Encryption
enterprise T1556.006 Multi-Factor Authentication
enterprise T1207 Rogue Domain Controller
enterprise T1649 Steal or Forge Authentication Certificates

References

  1. Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021. 

  2. Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018. 

  3. Microsoft. (2020, September 16). Azure Active Directory security operations for devices. Retrieved February 21, 2023. 

  4. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  5. Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. 

  6. Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. 

  7. Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. 

  8. Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. 

  9. Metcalf, S. (2015, September 19). Sneaky Active Directory Persistence #14: SID History. Retrieved November 30, 2017. 

  10. Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November 30, 2017. 

  11. Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018. 

  12. Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018. 

  13. Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017. 

  14. Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017. 

  15. SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017. 

  16. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017. 

  17. Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017. 

  18. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.