Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Sigma rule (View on GitHub)
1title: Add or Remove Computer from DC
2id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037
3status: test
4description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
5references:
6 - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
7 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
8 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
9author: frack113
10date: 2022/10/14
11tags:
12 - attack.defense_evasion
13 - attack.t1207
14logsource:
15 service: security
16 product: windows
17detection:
18 selection:
19 EventID:
20 - 4741
21 - 4743
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
-
Documentation and scripts to properly enable Windows event logs. - Yamato-Security/EnableWindowsLogSettings
Read More -
Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
Read More -
Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons