Name:Windows AD Suspicious Attribute Modification id:5682052e-ce55-4f9f-8d28-59191420b7e0 version:8 date:2026-03-10 author:Dean Luxton status:production type:TTP Description:This detection monitors changes to the following Active Directory attributes: "msDS-AllowedToDelegateTo", "msDS-AllowedToActOnBehalfOfOtherIdentity", "msDS-KeyCredentialLink", "scriptPath", and "msTSInitialProgram". Modifications to these attributes can indicate potential malicious activity or privilege escalation attempts. Immediate investigation is recommended upon alert. Data_source:
-Windows Event Log Security 5136
search:`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName IN ("msDS-AllowedToDelegateTo","msDS-AllowedToActOnBehalfOfOtherIdentity","scriptPath","msTSInitialProgram") OperationType=%%14674 ```Changes to the attribute "msDS-KeyCredentialLink" are also worth moniroting, however tuning will need to be applied```
| stats min(eventTime) as _time values(initiator) as src_user, values(DSName) as targetDomain, values(ObjectDN) as ObjectDN, values(ObjectClass) as ObjectClass, values(src_category) as src_category, values(src_ip) as src_ip values(LogonType) as LogonType values(AttributeValue) as AttributeValue values(AttributeLDAPDisplayName) as AttributeLDAPDisplayName BY TargetLogonId
how_to_implement:Ensure you are ingesting Active Directory audit logs - specifically event 5136. See lantern article in references for further on how to onboard AD audit data. Ensure the wineventlog_security macro is configured with the correct indexes. known_false_positives:If key credentials are regularly assigned to users, these events will need to be tuned out. References: -https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a -https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory drilldown_searches: name:'View the detection results for - "$src_user$" and "$dest$"' search:'%original_detection_search% | search src_user = "$src_user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint mitre_attack_id: - 'T1222.001' - 'T1550' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
