Active Directory

A critical improper authentication vulnerability, CVE-2026-45480, in Microsoft Azure Active Directory allows an unauthorized attacker to bypass authentication mechanisms and elevate privileges over a network, potentially leading to full administrative control of Azure AD and associated resources.

The analytic detects ACL deletion on the domain root object in Active Directory by monitoring Windows Event Log Security event ID 5136, identifying significant AD changes with potentially high impact.

This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.

This Splunk search detects when the owner of an Active Directory object is updated, potentially granting full control privileges and enabling object hiding, focusing on Windows Event Log ID 5136, and includes lookups for SID resolution.

This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.

Modification of Access Control Lists (ACLs) on the Active Directory domain root object can grant attackers persistent and escalated privileges.

This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.

Detection of Active Directory user object ACL modifications that grant dangerous permissions, such as full control or the ability to modify permissions, potentially indicating privilege escalation or malicious activity.

This correlation analytic identifies potential privilege escalation activities within an organization's Active Directory (AD) environment by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame, helping identify coordinated attempts to gain elevated privileges which could lead to unauthorized access to sensitive systems and data.

This correlation identifies potential lateral movement activities within an Active Directory environment by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame, potentially leading to privilege escalation, access to sensitive information, and persistence within the environment.

This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.

Detection of modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account (dMSA) by an unusual subject account, which attackers can abuse to inherit permissions and elevate privileges in Active Directory.

Modification of the dsHeuristics attribute to exclude groups from SDProp in Active Directory can allow attackers to maintain persistent access to privileged accounts.

Attackers can modify the msDS-AllowedToDelegateTo attribute to KRBTGT, enabling persistent domain access by requesting Kerberos tickets for the KRBTGT service.

Detects modifications to the AdminSDHolder object in Active Directory, which attackers can abuse via the SDProp process to implement a persistent backdoor by manipulating permissions on protected accounts and groups to regain administrative privileges.

Attackers can modify Active Directory object security descriptors to grant DCSync rights to unauthorized accounts, creating a backdoor to extract credential data.

An improper input validation vulnerability (CVE-2026-33826) in Windows Active Directory could allow an authenticated attacker on an adjacent network to execute code.

Detection of PowerShell scripts modifying the msDS-ManagedAccountPrecededByLink attribute, potentially indicating exploitation of the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.

Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.

Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.

Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.

Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.

Attackers can modify the msPKIAccountCredentials attribute in Active Directory user objects to abuse credential roaming, potentially overwriting files for privilege escalation, by injecting malicious credential objects.

Detection of a user account initiating the Active Directory replication process for the first time, potentially indicating a DCSync attack for credential theft and domain compromise.

Detection of the assignment of the SeEnableDelegationPrivilege user right to a principal can indicate potential Active Directory compromise and privilege elevation by attackers.

Detects modifications to a Windows computer account's User Account Control flags, specifically the `SERVER_TRUST_ACCOUNT` flag, potentially indicating unauthorized domain controller promotion or privilege escalation within Active Directory.

The threat brief details the detection of NetExec (formerly CrackMapExec), a post-exploitation tool used for Active Directory penetration testing and network enumeration, often employed by threat actors for lateral movement and credential harvesting.

This detection identifies a spike in Active Directory group or object modifications, potentially indicating unauthorized access, defense impairment, or persistence establishment by threat actors.

Detection of Active Directory Group Policy deletion using event ID 5136, indicating potential malicious activity or misconfiguration.

Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.

This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.

The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.