Skip to content

5136 A directory service object was modified

Written when an Active Directory object’s attributes are modified. It is a top-tier event for catching AD persistence and privilege-escalation tampering such as GPOs, delegation, and AdminSDHolder.

Overview

The subcategory is Audit Directory Service Changes. It is generated when an AD object’s attributes are modified, and powerfully records the before/after values (Old Value / New Value) and the operation type. Generation requires change auditing in the target object’s SACL. It is recorded on domain controllers.

How it is triggered

  • When an AD object’s (user, computer, GPO, OU, group, etc.) attributes are added, changed, or deleted.
  • Because before/after values remain, you can directly read what changed and how.

Security review points

Many attacks against AD leave traces in this event.

  • GPO tampering: changes to a Group Policy container / gPCFileSysPath are a technique to distribute malicious scripts and settings to subordinate machines. Confirm changes to GPO objects at top priority.
  • AdminSDHolder ACL change: a change to the nTSecurityDescriptor of the AdminSDHolder object is persistence that propagates to all privileged accounts (see 4780).
  • Delegation settings: changes to msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD) or servicePrincipalName are preparation for impersonation or Kerberoasting.
  • Also notable: dNSHostName spoofing (noPac), dangerous changes to userAccountControl flags, and rewriting scriptPath (logon script).

Notes for log review

  • It occurs in volume even during legitimate administration. Narrow to monitored attributes (GPO-related, security descriptor, delegation, SPN, UAC flags, etc.) and evaluate by before/after values.
  • It is not recorded unless a SACL is set on the important attributes. The prerequisite is enabling change auditing for sensitive objects/attributes in the AD audit design.
  • Strongly suspect it if the changing subject (Subject) is an account that does not normally manage that object.

Key fields

FieldMeaning
Object DN / ClassThe changed object and its class
AttributeThe changed attribute name
Old Value / New ValueThe values before and after
Subject\Account NameThe subject that made the change

References