5138 A directory service object was undeleted
Written when a deleted Active Directory object is undeleted. It captures object revival from the AD Recycle Bin and the like.
Overview
The subcategory is Audit Directory Service Changes. It is generated when a deleted AD object is restored. It indicates a revival operation via the AD Recycle Bin feature and similar.
How it is triggered
- Restoring a deleted object via the AD Recycle Bin or a tool.
Security review points
- An attacker may revive a previously disabled/deleted privileged account or object to abuse it. Check the restored object (especially privileged accounts) and the restoring subject.
- Paired with deletion 5141, track the delete-then-restore flow. Investigate unexpected restores.
Notes for log review
- It is a rare operation. If the restored target is an important object (a privileged account, etc.), confirm it at high priority.
- Separate legitimate recovery of an accidental deletion from an illicit revival, by the target and subject.
Key fields
| Field | Meaning |
|---|---|
Object DN / Class | The restored object |
Subject\Account Name | The subject that performed the restore |