立即与支持人员聊天
与支持团队交流

Change Auditor for Active Directory 7.4 - Event Reference Guide

NTDS Service

NTDS Default TTL Changed

Created whenever the default TTL is changed.

Low

NTDS Garbage Collection Period Changed

Created whenever the garbage collection period is changed.

Low

NTDS Minimum TTL Changed

Created whenever the minimum TTL is changed.

Low

NTDS TCP/IP Port Assignment Changed

Created when the NTDS RPC TCP/IP port assignment is changed.

Low

NTDS Tombstone Lifetime Setting Changed

Created whenever the tombstone lifetime is altered.

Low

Organizational Unit (OU)

Alternate UPN Suffix Added to OU

Created when an entry is added to the list of alternate user principal name (UPN) suffixes available for user names.

Medium

Alternate UPN Suffix Removed from OU

Created when an entry is removed from the list of alternate user principal name (UPN) suffixes available for user names.

Medium

DACL Changed on OU Object

Created when the DACL is changed on an OU object.

High

Domain Controller Added to OU

Created when a domain controller is added to an OU.

High

Domain Controller Removed from OU

Created when a domain controller is removed from an OU.

High

OU Group Policy Order Changed

Created when the list of group policies linked to an organizational unit is re-ordered.

Medium

Inheritance Setting Changed on OU Object

Created when the inheritance setting of a OU object is changed.

High

Subordinate OU Added

Created when an OU is added to another OU.

Medium

Subordinate OU Removed

Created when an OU is removed from another OU.

Medium

Subordinate OU Renamed

Created when a subordinate OU is renamed.

Medium

Replication Transport

Bridge All Site Links Option Changed

Created when the Bridge all site links check box on the replication transport property page is changed.

Medium

Ignore Link Schedules Option Changed

Created when the Ignore schedules check box on the replication transport property page is changed.

Medium

Irregular domain replication activity detected

This event identifies replication behavior that may indicate that DCSync is being used to retrieve password data through domain replication.

Irregular requests can include:

DCSync is a command within Mimikatz that can simulate the behaviour of a Domain Controller and make replication requests. This activity can result in someone gaining unauthorized access to user credentials. The stolen credentials can then be used to create a golden ticket or silver ticket and can be used for pass-the-hash and overpass-the-hash scenarios.

This event identifies replication behavior that may indicate that DCSync is being used to compromise the security of your network.

High

Schema Configuration

Attribute Added to Optional Attributes

Created when a new attribute is added to the optional attributes for a class object in the schema.

High

Attribute Removed from Optional Attributes

Created when an attribute is removed from the Optional Attributes for a class object in the schema.

High

Class Removed from Auxiliary Classes in Schema

Created when a class is removed from auxiliaryClass.

High

Class Removed from Possible Superiors in Schema

Created when a class is removed from possSuperiors.

High

New Class Added to Auxiliary Classes in Schema

Created when a new class is added to auxiliaryClass.

High

New Class Added to Possible Superiors in Schema

Created when a new class is added to possSuperiors.

High

Schema Attribute Added

Created when a new attribute is added to the schema.

High

Schema Attribute Confidential flag changed

Created when an Attribute Confidential flag is changed.

High

Schema Attribute defaultHidingValue Changed

Created when the defaultHidingValue is changed.

High

Schema Attribute GC Flag Changed

Created when the GC flag for an attribute is changed.

High

Schema Attribute Indexing Flag Changed

Created when the indexing flag for an attribute is changed.

High

Schema Attribute RODC Filtered flag changed

Created when an Attribute RODC Replication flag is changed.

High

Schema Class Added

Created when a new class is added to the schema.

High

Schema Class Default Security Descriptor Changed

Created when the default security descriptor for a class is changed.

High

Schema Object Disabled

Created when a schema object is marked disabled.

High

Schema Object Enabled

Created when a schema object is marked enabled.

High

Schema Version Changed

Created when the schema version number changes.

High

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级