Detection rules › Sigma
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1207 Rogue Domain Controller |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4741 | A computer account was created. |
| Security-Auditing | 4743 | A computer account was deleted. |
Stages and Predicates
Stage 1: selection
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- User Added to Privileged Group in Active Directory
- A Member Was Added to a Security-Enabled Global Group
- Addition of SID History to Active Directory Object
- Detect New Local Admin account
- Windows AD Cross Domain SID History Addition
- Windows AD Privileged Account SID History Addition
- Windows AD Same Domain SID History Addition
- Windows Increase in User Modification Activity