detection.wiki

Detection rules › Sigma

Medium risk Active Directory group membership change

Status
experimental
Severity
medium
Log source
product windows, service security
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where a suspicious group membership is changed.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4728A member was added to a security-enabled global group.
Security-AuditingEvent ID 4756A member was added to a security-enabled universal group.

Rule body yaml

title: Medium risk Active Directory group membership change
description: Detects scenarios where a suspicious group membership is changed.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0003-Persistence/T1098.xxx-Account%20manipulation
- https://ss64.com/nt/syntax-groups.html
- https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers
tags:
- attack.persistence
- attack.t1098
author: mdecrevoisier
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4728 # security global group member added
      - 4756 # universal group member added
      #- 4732 # local and domain local group are covered in another rule
    TargetSid|startswith: 'S-1-5-21-'
    TargetSid|endswith:
      - '-514' # Domain Guests
      - '-517' # Cert Publishers
      - '-520' # Group Policy Creator Owners
  condition: selection
falsepositives:
- Administrator activity
level: medium

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
  EventID:
    - 4728
    - 4756
  TargetSid|startswith: 'S-1-5-21-'
  TargetSid|endswith:
    - '-514'
    - '-517'
    - '-520'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetSidends_with
  • -514
  • -517
  • -520 corpus 2 (sigma 2)
TargetSidstarts_with
  • S-1-5-21- corpus 4 (sigma 4)