Windows user added to Domain Admin group

Goal

Detect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.

Strategy

Monitoring of Windows event logs where @evt.id is 4728 and the @Event.EventData.Data.TargetUserName:"Domain Admins"

Triage & Response

Verify if {{@Event.EventData.Data.TargetUserName}} should be added to the Domain Admins group