This note documents detection patterns related to WriteOwner Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | Ownership changes on Active Directory objects can indicate WriteOwner abuse. Review ObjectDN and attribute changes. |
| Security | 4662 | An operation was performed on an object | Critical | Access operations modifying object ownership or security descriptors. |
| Security | 4670 | Permissions on an object were changed | High | Ownership change often followed by permission modification. |
| Security | 4728 | Member added to security-enabled global group | High | Privilege escalation may follow ownership takeover. |
| Security | 4732 | Member added to security-enabled local group | High | Used for privilege escalation after gaining object control. |
| Sysmon | 1 | Process creation | Medium | Execution of PowerView, Impacket, or other LDAP modification tools. |
| Sysmon | 3 | Network connection | Medium | LDAP connections to domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Ownership change on privileged object | Owner attribute modified on admin accounts or groups | Critical | Attackers gain full control after becoming owner. |
| Permission changes after ownership takeover | ACL modifications following owner change | Critical | Ownership allows attacker to modify permissions. |
| Unexpected administrative group membership changes | Account added to privileged groups | High | Privilege escalation following ACL abuse. |
| Rapid AD object modifications | Multiple attribute changes across objects | Medium | May indicate automated attack chain. |
| LDAP modifications from unusual host | Directory modifications from workstation not normally administering AD | High | Possible attacker-controlled system. |
Common Tools
| Tool | Usage |
|---|---|
| PowerView | Changes object ownership using WriteOwner permission. |
| Impacket | LDAP scripts used to modify object ownership. |
| BloodHound | Identifies attack paths involving WriteOwner privileges. |
| SharpHound | Collects AD relationship data. |
| ADSIEdit | Manual modification of directory object ownership. |
Relevant Artifacts
- Domain controller Security logs (5136, 4662, 4670)
- Active Directory object metadata
- LDAP modification logs
- Sysmon logs (1, 3)
- EDR telemetry identifying AD manipulation tools
- Directory replication metadata
- Prefetch artifacts showing execution of PowerView or Impacket tools
MITRE ATT&CK References
- T1098 Account Manipulation
- T1484 Domain Policy Modification
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify ownership modification events (5136 / 4670).
- What host generated the event?
- Determine workstation performing LDAP modification.
- Is the account expected to perform this action?
- Investigate whether account normally administers AD objects.
- Pivot:
- Source host → inspect execution of PowerView or Impacket tools.
- Account → review privileges and group memberships.
- Network → analyze LDAP traffic patterns.
- Confirm exploitation
- Determine whether attacker changed object ownership and escalated privileges.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4670
| project TimeGenerated, SubjectUserName, ObjectName
SecurityEvent
| where EventID == 5136
| project TimeGenerated, SubjectUserName, ObjectDN
EQL
any where event.code == "4670"
Sigma
title: Suspicious Active Directory Ownership Modification
id: writeowner-abuse-detection
status: experimental
description: Detects modification of AD object ownership potentially indicating WriteOwner abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 4670
condition: selection
fields:
- SubjectUserName
- ObjectName
falsepositives:
- Legitimate administrative modifications
level: medium
tags:
- attack.privilege_escalation
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Audit AD ACLs for WriteOwner permissions | Critical | Removes unnecessary ownership privileges. |
| Least privilege | Restrict directory ownership modification rights | High | Reduces privilege escalation paths. |
| Monitoring | Alert on ownership changes for sensitive objects | High | Detects early abuse attempts. |
| AD security review | Regularly review delegation permissions | High | Identifies risky configurations. |
| Change management | Require approval for ownership changes | Medium | Reduces unauthorized modifications. |