Posts tagged "{tag}": #active-directory

Detecting AD persistence and credential-replication attacks in the directory-service logs — 5136 object modifications (ACLs, AdminSDHolder, GPO), the 5137/5141 lifecycle, and using 4662 to catch DCSync.