security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
889efd1663f0781e110f32e8e81e88a311e6c500
blue-team-tools/rules/windows/builtin/security/win_security_add_remove_computer.yml
T
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2023-10-17 14:35:26 +02:00

26 lines
872 B
YAML
Raw Blame History

title: Add or Remove Computer from DC
id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037
status: test
description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743
author: frack113
date: 2022/10/14
tags:
- attack.defense_evasion
- attack.t1207
logsource:
service: security
product: windows
detection:
selection:
EventID:
- 4741
- 4743
condition: selection
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink