This note documents detection patterns related to GenericWrite Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | GenericWrite allows modification of specific attributes on AD objects. Look for attribute changes such as servicePrincipalName, userAccountControl, or member. |
| Security | 4728 | Member added to security-enabled global group | Critical | Attackers may add themselves to privileged groups by modifying group membership attributes. |
| Security | 4738 | User account changed | High | Changes to user attributes such as SPN or delegation settings. |
| Security | 4742 | Computer account changed | High | Modification of computer attributes may enable delegation or SPN abuse. |
| Security | 4662 | An operation was performed on an object | High | LDAP write operations against directory objects. |
| Sysmon | 1 | Process creation | Medium | Execution of PowerView, SharpHound, or Impacket tools performing LDAP modifications. |
| Sysmon | 3 | Network connection | Medium | LDAP connections to domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| SPN attribute modification | Changes to servicePrincipalName attribute | Critical | May enable Kerberoasting or service account takeover. |
| Unexpected group membership changes | User added to privileged groups unexpectedly | Critical | Possible privilege escalation via attribute modification. |
| Delegation attribute modification | Changes to delegation-related attributes | High | May enable Kerberos delegation attacks. |
| UserAccountControl modifications | Account flags changed unexpectedly | High | May enable privileged operations. |
| Rapid LDAP attribute changes | Multiple modifications across objects | Medium | Possible attacker automation. |
Common Tools
| Tool | Usage |
|---|---|
| PowerView | Modifies AD object attributes via GenericWrite. |
| BloodHound | Identifies privilege escalation paths including GenericWrite. |
| Impacket | LDAP modification scripts used for AD abuse. |
| SharpHound | Collects AD privilege relationships. |
| ADSIEdit / LDAP tools | Direct manipulation of AD attributes. |
Relevant Artifacts
- Domain controller Security logs (5136, 4662, 4728)
- Active Directory object metadata
- LDAP modification logs
- Sysmon logs (1, 3)
- EDR telemetry identifying AD manipulation tools
- Directory replication metadata
- Prefetch artifacts showing execution of PowerView or Impacket
MITRE ATT&CK References
- T1098 Account Manipulation
- T1484 Domain Policy Modification
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify directory object modification (5136).
- What host generated the event?
- Determine workstation performing LDAP modification.
- Is the account expected to perform this action?
- Investigate whether account normally manages directory objects.
- Pivot:
- Source host → inspect execution of PowerView or Impacket tools.
- Account → review privileges and group memberships.
- Network → analyze LDAP traffic patterns.
- Confirm exploitation
- Determine whether attacker used GenericWrite permissions for escalation.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| project TimeGenerated, SubjectUserName, ObjectDN
SecurityEvent
| where EventID == 4662
| project TimeGenerated, SubjectUserName, ObjectName
EQL
any where event.code == "5136"
Sigma
title: Suspicious Active Directory Attribute Modification
id: genericwrite-abuse-detection
status: experimental
description: Detects directory attribute modifications potentially indicating GenericWrite abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate administrative directory modifications
level: medium
tags:
- attack.privilege_escalation
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Audit AD ACLs for GenericWrite permissions | Critical | Removes unnecessary write permissions. |
| Least privilege | Restrict attribute modification rights | High | Reduces escalation opportunities. |
| Monitoring | Alert on SPN and delegation attribute changes | High | Detects common abuse scenarios. |
| AD security review | Regularly review delegation permissions | High | Identifies risky configurations. |
| Change management | Require approval for sensitive directory changes | Medium | Reduces unauthorized modifications. |