What This Script Detects
MachineAccountQuota (MAQ) exploitation (MITRE ATT&CK T1136.002) allows attackers to create rogue computer accounts for privilege escalation via RBCD attacks. Default value of 10 enables unauthorized computer creation.
Critical Recommendation
Set MachineAccountQuota to 0 immediately. Run:
Set-ADDomain -Identity (Get-ADDomain) -Replace @{'ms-DS-MachineAccountQuota' = 0}
Detection Focus
- Current MAQ value (should be 0)
- Computer accounts created by non-admin users (Event ID 4741)
- Rogue computer objects in unexpected OUs
- Computers with no corresponding DNS/DHCP entries