Windows Domain Admin group changed

Classification:

attack

Tactic:

Technique:

Goal

Detect when the Domain Administrator group is modified.

Monitoring of Windows event logs where @evt.id is 4737 and the @Event.EventData.Data.TargetUserName:"Domain Admins"

Verify if {{@Event.EventData.Data.SubjectUserName}} has a legitimate reason for changing the Domain Admins group