This note documents detection patterns related to GenericAll Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | GenericAll allows full control over an AD object. Look for attribute modifications such as member, servicePrincipalName, or userAccountControl. |
| Security | 4728 | Member added to security-enabled global group | Critical | Attacker may add themselves to privileged groups like Domain Admins. |
| Security | 4732 | Member added to security-enabled local group | High | Used for privilege escalation through local group membership. |
| Security | 4742 | Computer account changed | High | Attackers may modify computer objects for delegation abuse. |
| Security | 4724 | Password reset attempt | High | GenericAll allows password reset for user objects. |
| Sysmon | 1 | Process creation | Medium | Execution of tools such as PowerView, BloodHound, or Impacket performing AD modifications. |
| Sysmon | 3 | Network connection | Medium | Connections to domain controllers performing LDAP modifications. |
| Security | 4738 | A user account was changed | High | Primary Indicator of user changes. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unexpected privilege escalation | Account added to administrative group unexpectedly | Critical | Classic outcome of GenericAll abuse. |
| Attribute modification on sensitive objects | Changes to admin accounts, service accounts, or DC objects | High | Indicates potential takeover attempt. |
| Password reset events without helpdesk activity | Unexpected password reset on privileged account | Critical | GenericAll allows resetting passwords directly. |
| Delegation changes on computer objects | Modification of SPNs or delegation attributes | High | May lead to Kerberos abuse attacks. |
| Multiple AD object modifications in short time | Rapid changes across directory objects | Medium | Indicates attacker performing privilege escalation chain. |
Common Tools
| Tool | Usage |
|---|---|
| PowerView | Modifies AD objects using GenericAll permissions. |
| BloodHound | Identifies attack paths including GenericAll privileges. |
| Impacket | LDAP modification modules used for privilege escalation. |
| SharpHound | Collects AD relationship data for privilege path discovery. |
| ADSIEdit / LDAP tools | Used to modify directory objects directly. |
Relevant Artifacts
- Domain controller Security logs (5136, 4728, 4732, 4724)
- LDAP modification logs
- Active Directory object metadata
- Sysmon logs (1, 3)
- EDR telemetry identifying AD manipulation tools
- Directory replication metadata
- Prefetch artifacts showing execution of PowerView or Impacket tools
MITRE ATT&CK References
- T1098 Account Manipulation
- T1484 Domain Policy Modification
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify directory object modification (5136) or group membership changes.
- What host generated the event?
- Determine workstation performing LDAP modifications.
- Is the account expected to perform this action?
- Investigate whether account normally manages directory objects.
- Pivot:
- Source host → inspect execution of PowerView or Impacket tools.
- Account → review privileges and group memberships.
- Network → analyze LDAP traffic patterns.
- Confirm exploitation
- Determine whether attacker used GenericAll permission to escalate privileges.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4728 or EventID == 4732
| project TimeGenerated, TargetUserName, SubjectUserName
SecurityEvent
| where EventID == 5136
| project TimeGenerated, SubjectUserName, ObjectDN
EQL
any where event.code == "5136"
Sigma
title: Suspicious Active Directory Object Modification
id: genericall-abuse-detection
status: experimental
description: Detects directory object modifications potentially indicating GenericAll abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate administrative directory modifications
level: medium
tags:
- attack.privilege_escalation
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Audit AD ACLs for GenericAll permissions | Critical | Removes unnecessary full control rights. |
| Least privilege | Restrict directory modification privileges | High | Reduces escalation opportunities. |
| Monitoring | Alert on group membership changes | High | Detects privilege escalation attempts. |
| AD security review | Regularly review delegation permissions | High | Identifies risky configurations. |
| Change management | Require approval for sensitive directory changes | Medium | Reduces unauthorized modifications. |