Windows user added to Domain Admin group

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.

Strategy

Monitoring of Windows event logs where @evt.id is 4728 and the @Event.EventData.Data.TargetUserName:"Domain Admins"

Triage & Response

Verify if {{@Event.EventData.Data.TargetUserName}} should be added to the Domain Admins group