Windows Domain Admin group changed

windows

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when the Domain Administrator group is modified.

Strategy

Monitoring of Windows event logs where @evt.id is 4737 and the @Event.EventData.Data.TargetUserName:"Domain Admins"

Triage & Response

Verify if {{@Event.EventData.Data.SubjectUserName}} has a legitimate reason for changing the Domain Admins group