Detections
Analytics
Dynamic Objects Misconfiguration and Usage
medium
Language:
Description
Detects dynamic objects and insecure Time-To-Live (TTL) configurations that allow attackers to create stealthy, self-destructing backdoors to evade standard auditing and forensic analysis.
Solution
Immediately manually delete suspicious dynamic objects to prevent forensic evasion, and restore msDS-Other-Settings TTL values to secure defaults (900 and 86400 seconds) to block ephemeral attacks
See Also
AD Object Detection: Detecting the undetectable (dynamicObject)
Indicator Details
Name: Dynamic Objects Misconfiguration and Usage
Codename: C-DYNAMIC-OBJECTS
Severity: Medium
Type: Active Directory Indicator of Exposure
Family: Hygiene and Lifecycle
- Tactic: TA0003 - Persistence
- Techniques: T1098 - Account Manipulation
- Tactic: TA0005 - Defense Evasion
- Techniques: T1070 - Indicator Removal
- Tactic: TA0005 - Defense Evasion
- Techniques: T1562 - Impair Defenses