Event ID 5136 - NT Authority/SYSTEM modified the default domain policy

Ace B 0 Reputation points
2023-05-23T18:19:06.6666667+00:00

Hello

I have auditing of GPO changes turned on. While we have password complexity enabled, while being audited it was found to be disabled.

After searching the logs from the GPO modified date, we found that it was the SYSTEM that made the changes. Leaving 2 entries. one for value deleted and one for value added.

This happened one year ago and i thought maybe a team member changed it but they all denied this. So i turned on the auditing and one year later i see the same but now with some evidence.

{"timestamp":"2023-04-19T08:48:24.000Z","hostname":"XXXXX-DC02.xxxxx.int","event_code":"5136","description":"A directory service object was modified.","subject_user_sid":"S-1-5-18","subject_user_name":"SYSTEM","subject_domain_name":"NT AUTHORITY","subject_logon_id":"0x140F99821","ds_name":"akigroup.int","ds_type":"Active Directory Domain Services","object_dn":"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxxx,DC=int","object_guid":"{b3e150ae-0756-4e1d-b6e6-6161742c686b}","object_class":"groupPolicyContainer","attribute_ldap_display_name":"versionNumber","attribute_syntax_oid":"2.5.5.9","attribute_value":"1704322","operation_type":"Value Deleted","op_correlation_id":"{7ce28b12-4e95-4aaa-9001-bcb8f34edc0f}","app_correlation_id":"","source_data":"<14>Apr 19 12:48:24 XXXXXX-DC02.xxxxx.int MSWinEventLog\t1\tSecurity\t26311529\tWed Apr 19 12:48:24 2023\t5136\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tXXXXXXX.XXXXX.int\tDirectory Service Changes\t\tA directory service object was modified. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x140F99821 Directory Service: Name: xxxxx.int Type: Active Directory Domain Services Object: DN: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxxx,DC=int GUID: {b3e150ae-0756-4e1d-b6e6-6161742c686b} Class: groupPolicyContainer Attribute: LDAP Display Name: versionNumber Syntax (OID): 2.5.5.9 Value: 1704322 Operation: Type: Value Deleted Correlation ID: {7ce28b12-4e95-4aaa-9001-bcb8f34edc0f} Application Correlation ID: -\t942257166"}

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,480 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,796 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,966 Reputation points
    2023-05-24T10:52:23.1433333+00:00

    Hello there,

    I suggest you to audit it deeper with procmon to see what is causing these changes.

    For a change operation, you'll typically see two 5136 events for one action, with different Operation\Type fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file

    system, Registry and process/thread activity. You can get the tool from here

    https://docs.microsoft.com/enus/sysinternals/downloads/procmon

    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log

    system activity to the Windows event log.You can get the tool from here

    https://docs.microsoft.com/enus/sysinternals/downloads/sysmon

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments