some legitimate administrative activities during domain controller promotions or system updates may trigger this rule. filter alerts originating from authorized it personnel or approved change management processes.

t1136.002
endpoint
splunk

Techniques

T1136.002

Sample rules

Windows Computer Account Changed to Domain Controller

source: splunk
technicques:
- T1136.002

Description

Detects a modification to the User Account Control flags for a computer account where the SERVER_TRUST_ACCOUNT flag is set. This flag is normally associated with domain controller computer accounts. This activity may indicate a legitimate domain controller promotion or, if unexpected, an attempt to grant a computer account domain controller-like trust within Active Directory.

Detection logic

`wineventlog_security`
EventID=4742
UserAccountControl="*%%2088*"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer TargetUserName UserAccountControl EventID


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_computer_account_changed_to_domain_controller_filter`