Active Directory

A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)^[1]

ID: DS0026

ⓘ

Platforms: Azure AD, Windows

ⓘ

Collection Layers: Cloud Control Plane, Host

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Data Components

Active Directory: Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Active Directory: Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Domain	ID		Name
Enterprise	T1558		Steal or Forge Kerberos Tickets
		.001	Golden Ticket
		.003	Kerberoasting
		.004	AS-REP Roasting
Enterprise	T1550		Use Alternate Authentication Material
		.002	Pass the Hash
		.003	Pass the Ticket

Active Directory: Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Active Directory: Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Domain	ID		Name
Enterprise	T1615		Group Policy Discovery
Enterprise	T1003		OS Credential Dumping
		.006	DCSync

Active Directory: Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Active Directory: Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Domain	ID		Name
Enterprise	T1484		Domain Policy Modification
		.001	Group Policy Modification
		.002	Domain Trust Modification
Enterprise	T1207		Rogue Domain Controller

Active Directory: Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Active Directory: Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Domain	ID		Name
Enterprise	T1484		Domain Policy Modification
		.001	Group Policy Modification

Active Directory: Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

Active Directory: Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

Domain	ID		Name
Enterprise	T1134		Access Token Manipulation
		.005	SID-History Injection
Enterprise	T1531		Account Access Removal
Enterprise	T1098		Account Manipulation
		.001	Additional Cloud Credentials
Enterprise	T1037		Boot or Logon Initialization Scripts
		.003	Network Logon Script
Enterprise	T1484		Domain Policy Modification
		.001	Group Policy Modification
		.002	Domain Trust Modification
Enterprise	T1222		File and Directory Permissions Modification
		.001	Windows File and Directory Permissions Modification
Enterprise	T1207		Rogue Domain Controller

References

Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021.