Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

36 lines (36 sloc) 1.69 KB
// Name: User Account added to Built in Domain Local or Global Group
// Description: User account was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins
// Be sure to verify this is an expected addition
//
// Id: a35f2c18-1b97-458f-ad26-e033af18eb99
//
// Severity: Low
//
// QueryFrequency: 1h
//
// QueryPeriod: 1h
//
// AlertTriggerOperator: gt
//
// AlertTriggerThreshold: 0
//
// DataSource: #SecurityEvent
//
// Tactics: #Persistence, #Discovery, #LateralMovement, #Collection, #PrivilegeEscalation
//
let timeframe = 1h;
// For AD SID mappings - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]";
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103";
SecurityEvent
| where TimeGenerated > ago(timeframe)
// When MemberName contains '-' this indicates addition of a group to a group
| where AccountType == "User" and MemberName != "-"
// 4728 - A member was added to a security-enabled global group
// 4732 - A member was added to a security-enabled local group
// 4756 - A member was added to a security-enabled universal group
| where EventID in ("4728", "4732", "4756")
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
// Exclude Remote Desktop Users group: S-1-5-32-555
| where TargetSid !in ("S-1-5-32-555")
| project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid
You can’t perform that action at this time.