How to Detect and Mitigate MachineAccountQuota Attacks in Active Directory
MachineAccountQuota abuse leverages a default Active Directory setting that allows user accounts to create up to ten computer objects within a domain. These computer objects inherit the privileges of the Domain Computers group, potentially allowing attackers to escalate privileges if the group has elevated permissions. By mimicking domain naming conventions, attackers can blend their rogue computer objects into the environment, making detection harder. Once authenticated as the malicious computer object, attackers can act like legitimate users and access various domain resources.
This attack can also serve as a steppingstone for more advanced compromises like KrbRelayUp, especially in environments without LDAP signing enforcement. Since LDAP signing is off by default, attackers can exploit this weakness to gain local administrator access on target machines.
Mitigation involves disabling unprivileged users from creating computer objects by setting the ms-DS-MachineAccountQuota attribute to zero and tightening the Domain Computers group membership and permissions. Enabling LDAP signing on domain controllers further fortifies defenses against related attacks like KrbRelayUp.
Mitigation Steps for MachineAccountQuota Exploits
- Set
ms-DS-MachineAccountQuotato 0: Only trusted admins should be able to create computer accounts. - Review Domain Computers Group Membership: Make sure it’s not part of privileged groups.
- Restrict Write Permissions: Domain Computers should not have write access to other AD objects.
- Enable LDAP Signing: Protects authentication and communication with domain controllers, mitigating KrbRelayUp attacks.
Key Events to Identify MachineAccountQuota Abuse
| Event ID | Source | Description |
| 4741 | Domain Controllers | Logged when a computer object is created in Active Directory. Unusual creators of computer objects might signal compromise. |
| 4724 | Domain Controllers | Triggered when a password reset attempt occurs. Attackers setting passwords on new computer objects generate this event. |
| 4624 | Domain Controllers | Successful logon event. Correlate with 4741 to check if a new computer object has authenticated to the domain. |
Monitoring these events in combination helps spot unauthorized computer account creations and suspicious authentications linked to MachineAccountQuota abuse.