Windows user added to Domain Admin group

Classification:

attack

Tactic:

Technique:

Goal

Detect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.

Monitoring of Windows event logs where @evt.id is 4728 and the @Event.EventData.Data.TargetUserName:"Domain Admins"

Verify if {{@Event.EventData.Data.TargetUserName}} should be added to the Domain Admins group