Add or Remove Computer from DC

Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Sigma rule (View on GitHub)

 1title: Add or Remove Computer from DC
 2id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037
 3status: test
 4description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
 5references:
 6    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
 7    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
 9author: frack113
10date: 2022-10-14
11tags:
12    - attack.defense-evasion
13    - attack.t1207
14logsource:
15    service: security
16    product: windows
17detection:
18    selection:
19        EventID:
20            - 4741
21            - 4743
22    condition: selection
23falsepositives:
24    - Unknown
25level: low

References

Related rules

to-top