Detecting Spikes in Active Directory Object Modifications

This detection focuses on identifying unusual patterns of Active Directory (AD) object and group modifications, which can signify malicious activity. Attackers may modify AD objects to gain unauthorized access, impair defenses, or establish persistent footholds within the network. The detection leverages Windows Event Log Security events related to object modifications (Event Codes 4670, 4727, 4731, 4734, 4735, 4764). By monitoring these events and identifying statistically significant increases in modification activity for specific users, security teams can detect potential compromise early in the attack lifecycle. This analysis helps identify suspicious behavior within the AD environment, safeguarding its integrity and security.

Attack Chain

1. Initial Compromise: An attacker gains initial access to a user account, possibly through phishing or credential theft.
2. Privilege Escalation: The attacker attempts to elevate privileges using exploits or misconfigurations.
3. Discovery: The attacker performs reconnaissance to identify valuable AD groups and objects.
4. Object Modification: The attacker modifies group memberships to grant themselves access to sensitive resources. They could also modify object attributes to hide their activity or weaken security controls. Specific event codes triggered include 4670 (Permissions on an object were changed), 4727 (A security-enabled global group’s membership was changed), 4731 (A security-enabled local group’s membership was changed), 4734 (A security-enabled global group was modified), 4735 (A security-enabled local group was modified), and 4764 (A group’s type was changed).
5. Lateral Movement: The attacker uses newly acquired privileges to move laterally within the network.
6. Persistence: The attacker creates or modifies AD objects to maintain long-term access to the environment, such as adding themselves to highly privileged groups.
7. Data Exfiltration / Ransomware Deployment: With elevated privileges and persistent access, the attacker exfiltrates sensitive data or deploys ransomware across the network.

Impact

Compromise of Active Directory can have severe consequences. Successful attacks can lead to widespread data breaches, system outages, and financial losses. The impact can range from unauthorized access to sensitive information to complete disruption of business operations. This detection helps to identify malicious activity early, reducing the potential for significant damage.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect anomalous AD object modification activity and tune the threshold (objectCount > 10) for your environment.
• Investigate any alerts generated by these rules by examining the source user (src_user) and the objects being modified.
• Enable Windows Event Log Security auditing with the proper SACLs to capture the necessary Event Codes (4670, 4727, 4731, 4734, 4735, 4764) on critical AD objects.