Add or Remove Computer from DC (20d96d95-5a20-4cf1-a483-f3bda8a7c037)
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Add or Remove Computer from DC (20d96d95-5a20-4cf1-a483-f3bda8a7c037) | Sigma-Rules | Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) | Attack Pattern | 1 |