Data Source: Windows Event Log Security 5136

Date: 2025-07-10

ID: 7ba3737e-231e-455d-824e-cd077749f835

Author: Patrick Bareiss, Splunk

Description

Logs modifications made to an Active Directory object, including details about the object name, type, and the changes applied.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Windows AD AdminSDHolder ACL Modified	Event Triggered Execution	TTP
Windows AD Dangerous Deny ACL Modification	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD Dangerous Group ACL Modification	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD Dangerous User ACL Modification	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD DCShadow Privileges ACL Addition	Domain or Tenant Policy Modification, Rogue Domain Controller, Windows File and Directory Permissions Modification	TTP
Windows AD Domain Replication ACL Addition	Domain or Tenant Policy Modification	TTP
Windows AD Domain Root ACL Deletion	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD Domain Root ACL Modification	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD GPO Deleted	Disable or Modify Tools, Group Policy Modification	TTP
Windows AD GPO Disabled	Disable or Modify Tools, Group Policy Modification	TTP
Windows AD GPO New CSE Addition	Windows File and Directory Permissions Modification, Group Policy Modification	TTP
Windows AD Hidden OU Creation	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD Object Owner Updated	Windows File and Directory Permissions Modification, Domain or Tenant Policy Modification	TTP
Windows AD Self DACL Assignment	Domain or Tenant Policy Modification, Account Manipulation	TTP
Windows AD ServicePrincipalName Added To Domain Account	Account Manipulation	TTP
Windows AD Short Lived Domain Account ServicePrincipalName	Account Manipulation	TTP
Windows AD Short Lived Domain Controller SPN Attribute	Rogue Domain Controller	TTP
Windows AD SID History Attribute Modified	SID-History Injection	TTP
Windows AD Suspicious Attribute Modification	Windows File and Directory Permissions Modification, Use Alternate Authentication Material	TTP
Windows Default Group Policy Object Modified	Group Policy Modification	TTP
Windows Group Policy Object Created	Domain Accounts, Group Policy Modification	TTP
Windows Kerberos Coercion via DNS	DNS, LLMNR/NBT-NS Poisoning and SMB Relay, Forced Authentication	TTP
Windows Short Lived DNS Record	DNS, LLMNR/NBT-NS Poisoning and SMB Relay, Forced Authentication	TTP

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.1.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActivityID</span>
  
  <span class="pill kill-chain">AppCorrelationID</span>
  
  <span class="pill kill-chain">AttributeLDAPDisplayName</span>
  
  <span class="pill kill-chain">AttributeSyntaxOID</span>
  
  <span class="pill kill-chain">AttributeValue</span>
  
  <span class="pill kill-chain">Caller_Domain</span>
  
  <span class="pill kill-chain">Caller_User_Name</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">DSName</span>
  
  <span class="pill kill-chain">DSType</span>
  
  <span class="pill kill-chain">Error_Code</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Logon_ID</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">ObjectClass</span>
  
  <span class="pill kill-chain">ObjectDN</span>
  
  <span class="pill kill-chain">ObjectGUID</span>
  
  <span class="pill kill-chain">OpCorrelationID</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">OperationType</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SubjectDomainName</span>
  
  <span class="pill kill-chain">SubjectLogonId</span>
  
  <span class="pill kill-chain">SubjectUserName</span>
  
  <span class="pill kill-chain">SubjectUserSid</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_nt_domain</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">ta_windows_action</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5136</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-11-17T20:51:01.321860300Z'/><EventRecordID>1997365</EventRecordID><Correlation ActivityID='{F8EE8E31-F924-0000-3E8E-EEF824F9D801}'/><Execution ProcessID='652' ThreadID='5112'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='OpCorrelationID'>{73C96723-504B-4F15-830A-F4DDB1C48F2E}</Data><Data Name='AppCorrelationID'>-</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x95675</Data><Data Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local</Data><Data Name='ObjectGUID'>{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}</Data><Data Name='ObjectClass'>user</Data><Data Name='AttributeLDAPDisplayName'>servicePrincipalName</Data><Data Name='AttributeSyntaxOID'>2.5.5.12</Data><Data Name='AttributeValue'>adm/srv1.attackrange.local</Data><Data Name='OperationType'>%%14674</Data></EventData></Event>

Required Output Fields

dest

Source: GitHub | Version: 3