Techniques
Sample rules
Windows DnsAdmins New Member Added
- source: splunk
- technicques:
- T1098
Description
The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.
Detection logic
`wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins
| stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user by dest src_user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_dnsadmins_new_member_added_filter`