Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0066: Active Directory Object Modification

Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:

- User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). - Group Membership: Adding/removing members. - OU: Changing properties/permissions (e.g., delegation). - Service Account: Modifying SPNs or other attributes. - Object Attributes: Changes to passwords, logon hours, or control flags.

EnterpriseDC0066Data ComponentObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Active Directory object modification matters because changes to users, groups, OUs, service accounts, and object attributes can directly affect who has access, how privileges are delegated, and whether accounts are usable. For leaders, this data component is a practical evidence source for identity governance, incident response scoping, and audit readiness: if the organization cannot reliably see these changes, it may struggle to explain how access changed during an incident or control review.

Executive priority

Prioritize validating whether Active Directory object changes are logged, retained, and reviewable. These records support business decisions around privileged access oversight, account lifecycle control, delegation governance, and incident response timelines. They are also useful evidence for compliance and control assurance because they show when identity objects and permissions were changed, but the ATT&CK object does not provide a specific threat relationship or tactic context, so local risk should be based on how critical Active Directory is to business operations.

Technical view

SOC, detection engineering, and IR teams should confirm collection and parsing of Active Directory object modification events identified by MITRE: Event ID 5136 for object modification and Event ID 5163 for attribute changes. Validation should focus on users, groups, OUs, service accounts, SPNs, group membership, account enablement/disablement, delegation-related permissions, passwords, logon hours, and control flags. Because ATT&CK provides no detection logic or relationship context for this data component, teams should tune locally around authorized administration patterns, change windows, and high-value identity objects.

Likely telemetry

  • Windows security event logs containing Active Directory object modification events
  • Event ID 5136 Object Modification records
  • Event ID 5163 Attribute Changes records
  • Directory object identifiers and attributes changed
  • Actor/account that performed the change, where available in collected logs

Detection direction

  • Validate that Event IDs 5136 and 5163 are generated, collected, normalized, and retained for relevant Active Directory environments.
  • Create review logic for sensitive object classes and attributes, including group membership, service account SPNs, delegation-related OU permissions, account status, passwords, logon hours, and control flags.
  • Establish baselines for legitimate administrative changes to reduce false positives from normal help desk, IAM, and directory administration activity.
  • Correlate object modifications with approved change records when available, especially for privileged groups, service accounts, and delegated administration paths.
  • Check blind spots caused by incomplete audit policy, limited domain controller log collection, short retention, missing attribute detail, or poor parsing of changed values.

Mitigation priorities

  • Ensure auditing is configured to produce the relevant Active Directory object modification and attribute change events identified by MITRE.
  • Prioritize monitoring for high-impact identity objects such as privileged groups, service accounts, OUs with delegated permissions, and critical user attributes.
  • Define an operational review process that distinguishes approved identity administration from unexpected or poorly documented changes.
  • Align retention and access to these logs with incident response and compliance evidence needs.
  • Use findings from monitoring gaps to inform identity governance, privileged access management, and change-control improvements.
Analyst notes and limits

This object is a data component, not a technique. Its value is evidentiary: it tells defenders what class of data can help observe changes to Active Directory objects. No tactics, platforms, aliases, labels, or relationship context were supplied, and MITRE did not provide detection analytics beyond the event IDs and example object/attribute changes.

Assessment is limited to the supplied ATT&CK fields and external reference for DC0066. The object does not specify tactics, platforms, related techniques, procedures, threat actors, or official detection logic. Local audit policy, domain controller coverage, parsing quality, and retention determine whether this data component is usable in practice.

Official MITRE ATT&CK definition

Active Directory Object Modification

Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:

- User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). - Group Membership: Adding/removing members. - OU: Changing properties/permissions (e.g., delegation). - Service Account: Modifying SPNs or other attributes. - Object Attributes: Changes to passwords, logon hours, or control flags.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
8b7c3a25d5f15687...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 8b7c3a25d5f1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0066
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use