Skip to content

Hide Navigation Hide TOC

Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a)

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:

  • User Account Creation: New user account.
  • Group Creation: New security/distribution group.
  • OU Creation: New organizational unit.
  • Service Account Creation: New service account for automation or malicious tasks.
  • Trust Object Creation: Trust relationship with another domain.

Data Collection Measures:

  • Audit Policy:
    • Enable "Audit Directory Service Changes" (Success and Failure).
    • Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
    • Key Event: Event ID 5137 (object creation).
  • Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
  • Enable EDR Monitoring:
    • Track processes that create new accounts or modify AD objects.
    • Correlate object creation with suspicious commands (e.g., net user /add).
Cluster A Galaxy A Cluster B Galaxy B Level
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a) mitre-data-component 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a) mitre-data-component 1
Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215) Attack Pattern Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a) mitre-data-component 1
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a) mitre-data-component 1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a) mitre-data-component 1
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern Active Directory Object Creation (18b236d8-7224-488f-9d2f-50076a0f653a) mitre-data-component 1
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2