{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1484/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["active-directory","persistence","privilege-escalation","windows","t1222.001","t1484"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying attempts to hide Active Directory objects by manipulating organizational unit (OU) permissions. Attackers may modify the Access Control Lists (ACLs) of OUs to deny listing the objects residing within them. This technique, often coupled with changes to the OU\u0026rsquo;s owner, effectively conceals AD objects from standard discovery methods, even for domain administrators. The detection leverages Windows Event Log Security event ID 5136 to monitor for these permission modifications on organizationalUnit objects. This is a post-exploitation technique used to maintain persistence or evade detection in a compromised Active Directory environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with sufficient privileges to modify Active Directory objects.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Organizational Unit (OU) to hide.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ACL of the target OU using tools like PowerShell or built-in Windows utilities.\u003c/li\u003e\n\u003cli\u003eThe modification involves adding an Access Control Entry (ACE) that denies \u0026ldquo;List contents\u0026rdquo; or \u0026ldquo;List objects\u0026rdquo; permissions to a specific user or group.\u003c/li\u003e\n\u003cli\u003eWindows Event Log Security generates event ID 5136 when the OU\u0026rsquo;s ACL is modified.\u003c/li\u003e\n\u003cli\u003eThe attacker may also change the owner of the OU to further obscure their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hidden OU to store malicious objects (e.g., user accounts, group policy objects) for persistence or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains a foothold in the Active Directory environment, evading standard enumeration techniques.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this technique allows attackers to maintain a persistent presence within the Active Directory environment, bypassing normal enumeration and auditing processes. This can lead to prolonged periods of undetected activity, enabling lateral movement, data exfiltration, or the deployment of ransomware. The hiding of OUs also complicates incident response efforts, potentially allowing the attackers to regain access after remediation attempts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Event Log Security, specifically event ID 5136, to capture Active Directory object modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect suspicious ACL modifications on Organizational Units (OUs).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of event ID 5136 where the OperationType indicates modifications to permissions (\u0026quot;%%14674\u0026quot;, \u0026ldquo;%%14675\u0026rdquo;) and the ObjectClass is organizationalUnit.\u003c/li\u003e\n\u003cli\u003eImplement regular reviews of Active Directory object permissions, focusing on OUs with restricted visibility, to uncover hidden objects.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional monitoring and alerting for changes to OU ownership.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:59:26Z","date_published":"2026-05-28T17:59:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-ad-hidden-ou/","summary":"This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.","title":"Windows AD Hidden Organizational Unit Creation","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-ad-hidden-ou/"}],"language":"en","title":"CraftedSignal Threat Feed — T1484","version":"https://jsonfeed.org/version/1.1"}