T1484 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/t1484/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 28 May 2026 17:59:26 +0000Windows AD Hidden Organizational Unit Creationhttps://feed.craftedsignal.io/briefs/2026-05-windows-ad-hidden-ou/Thu, 28 May 2026 17:59:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-windows-ad-hidden-ou/This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.This detection focuses on identifying attempts to hide Active Directory objects by manipulating organizational unit (OU) permissions. Attackers may modify the Access Control Lists (ACLs) of OUs to deny listing the objects residing within them. This technique, often coupled with changes to the OU’s owner, effectively conceals AD objects from standard discovery methods, even for domain administrators. The detection leverages Windows Event Log Security event ID 5136 to monitor for these permission modifications on organizationalUnit objects. This is a post-exploitation technique used to maintain persistence or evade detection in a compromised Active Directory environment.

Attack Chain

  1. An attacker gains initial access to a system with sufficient privileges to modify Active Directory objects.
  2. The attacker identifies a target Organizational Unit (OU) to hide.
  3. The attacker modifies the ACL of the target OU using tools like PowerShell or built-in Windows utilities.
  4. The modification involves adding an Access Control Entry (ACE) that denies “List contents” or “List objects” permissions to a specific user or group.
  5. Windows Event Log Security generates event ID 5136 when the OU’s ACL is modified.
  6. The attacker may also change the owner of the OU to further obscure their activity.
  7. The attacker leverages the hidden OU to store malicious objects (e.g., user accounts, group policy objects) for persistence or lateral movement.
  8. The attacker maintains a foothold in the Active Directory environment, evading standard enumeration techniques.

Impact

Successful execution of this technique allows attackers to maintain a persistent presence within the Active Directory environment, bypassing normal enumeration and auditing processes. This can lead to prolonged periods of undetected activity, enabling lateral movement, data exfiltration, or the deployment of ransomware. The hiding of OUs also complicates incident response efforts, potentially allowing the attackers to regain access after remediation attempts.

Recommendation

  • Enable and monitor Windows Event Log Security, specifically event ID 5136, to capture Active Directory object modifications.
  • Deploy the Sigma rules provided to detect suspicious ACL modifications on Organizational Units (OUs).
  • Investigate any instances of event ID 5136 where the OperationType indicates modifications to permissions ("%%14674", “%%14675”) and the ObjectClass is organizationalUnit.
  • Implement regular reviews of Active Directory object permissions, focusing on OUs with restricted visibility, to uncover hidden objects.
  • Consider implementing additional monitoring and alerting for changes to OU ownership.
]]>highadvisoryactive-directorypersistenceprivilege-escalationwindowst1222.001t1484