“...All warfare is based on deception. Hence, when we are able to attack,
we must seem unable; when using our forces, we must appear inactive;
when we are near, we must make the enemy believe we are far away; when
far away, we must make him believe we are near...”
The Art of War
Monitoring Active Directory OU's and Group membership changes is a Category One [HIGHEST] risk mitigation strategy, absolutely... however...
Are you monitoring [and using REAL TIME
ALERTING?] for all of the Domain Admin "...equivalent..." OU's and
If you're looking for a spot near and dear to your CISO's heart, couple this with the one - two punch of implementing some top shelf DNS Security Monitoring like "Digital Defense Cloud" from the great folks at ThreatSTOP in Carlsbad California, you can thank me later...
As Will Smith would say,
"...get jiggy wit it!..." and REALLY minimize your attack surface and
risk posture by getting this set up today!
A brief musical interlude...
See the attached article's and if you really want the inside scoop, check out the excellent companion article at ADSECURITY.ORG for more on this topic.
SOME EXCELLENT REFERENCES on AD GROUP and OU monitoring, not for the faint of heart...
Microsoft Guidance