Name:Windows AD Privileged Group Modification id:187bf937-c436-4c65-bbcb-7539ffe02da1 version:4 date:2025-01-21 author:Dean Luxton status:experimental type:TTP Description:Detect users added to privileged AD Groups. Data_source:
-Windows Event Log Security 4728
search:`wineventlog_security` EventCode IN (4728) | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name,src_user | lookup admon_groups_def cn as Group_Name OUTPUT category | where category="privileged" | `windows_ad_privileged_group_modification_filter`
how_to_implement:This analytic requires eventCode 4728 to be ingested along with the admon_groups_def lookup being configured to include a list of AD groups along with a category to identify privileged groups. See splunkbase app listed in the references for further details. known_false_positives:None References: -https://splunkbase.splunk.com/app/6853 drilldown_searches:
: tags: analytic_story: - 'Active Directory Privilege Escalation' - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint mitre_attack_id: - 'T1098' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity manual_test:This search uses a lookup provided by Enterprise Security and needs to be manually tested.
