After an attacker gains access to a network through a compromised asset or credential, the attacker will move laterally in the network to target critical infrastructure. Domain controllers provide the physical storage for the Active Directory Domain Services (AD DS) database. In addition, they provide the services and data that allow enterprises to effectively manage endpoints such as servers and workstations, users, and applications. If a malicious user obtains privileged access to a domain controller, they can modify, corrupt, or destroy the AD DS database and all systems and accounts managed by Active Directory. Monitor both successful and unsuccessful authentication attempts to detect anomalies such as time of day, frequency and other suspicious patters that might indicate compromised assets or credentials.
index=* source=win*security 4776 EventCode=4776
| rename ComputerName as DomainControllerName
| table _time DomainControllerName user
Known false positives: This is a behavioral search, so the definition for false positive is slightly differently from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching. While there are no false positives in a traditional sense, there is lots of noise.
How to respond: When this search returns values, initiate the incident response process and identify the user account accessing the specific domain controller. Contact the user and system owner about the action. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and more investigation is warranted to determine that lateral movement is not occurring.