splApache-2.0from splunk/security_content
Windows DnsAdmins New Member Added
The following analytic detects the addition of a new member to the DnsAdmins group in Active Directory by leveraging Event ID 4732. This detection uses security event logs to identify changes to this high-privilege group. Monitoring this activity is crucial because members of the DnsAdmins group can manage the DNS service, often running on Domain Controllers, and potentially execute malicious code with SYSTEM privileges. If confirmed malicious, this activity could allow an attacker to escalate privileges and gain control over critical domain services, posing a significant security risk.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_dnsadmins_new_member_added.yml
`wineventlog_security` EventCode=4732 TargetUserName=DnsAdmins
| stats min(_time) as firstTime max(_time) as lastTime values(TargetUserName) as target_users_added values(user) as user
BY dest src_user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_dnsadmins_new_member_added_filter`