35 строки
1.6 KiB
YAML
35 строки
1.6 KiB
YAML
id: 8d69a665-074a-443b-aae6-5dd9bdd5cfb1
|
|
name: User Account added to Built in Domain Local or Global Group
|
|
description: |
|
|
'User account was added to a privileged built in domain local group or global group such as the Enterprise Adminis, Cert Publishers or DnsAdmins
|
|
Be sure to verify this is an expected addition.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Persistence
|
|
- PrivilegeEscalation
|
|
relevantTechniques:
|
|
- T1098
|
|
- T1078
|
|
query: |
|
|
|
|
let timeframe = 10d;
|
|
// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups
|
|
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
|
|
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$";
|
|
SecurityEvent
|
|
| where TimeGenerated > ago(timeframe)
|
|
| where AccountType == "User"
|
|
// 4728 - A member was added to a security-enabled global group
|
|
// 4732 - A member was added to a security-enabled local group
|
|
// 4756 - A member was added to a security-enabled universal group
|
|
| where EventID in ("4728", "4732", "4756")
|
|
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
|
|
// Exclude Remote Desktop Users group: S-1-5-32-555
|
|
| where TargetSid !in ("S-1-5-32-555")
|
|
| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid
|
|
| extend timestamp = StartTimeUtc, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName
|
|
|