API

Windows user added to Domain Admin group

Docs > Datadog Security > OOTB Rules > Windows user added to Domain Admin group

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.

Strategy

Monitoring of Windows event logs where @evt.id is 4728 and the @Event.EventData.Data.TargetUserName:"Domain Admins"

Triage & Response

Verify if {{@Event.EventData.Data.TargetUserName}} should be added to the Domain Admins group