Windows AD Privileged Group Modification

Original Source: [splunk source]
Name:Windows AD Privileged Group Modification
id:187bf937-c436-4c65-bbcb-7539ffe02da1
version:3
date:2024-10-17
author:Dean Luxton
status:experimental
type:TTP
Description:Detect users added to privileged AD Groups.
Data_source:
  • -Windows Event Log Security 4728
search:`wineventlog_security` EventCode IN (4728)
| stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name,src_user
| lookup admon_groups_def cn as Group_Name OUTPUT category
| where category="privileged"
| `windows_ad_privileged_group_modification_filter`

how_to_implement:This analytic requires eventCode 4728 to be ingested along with the admon_groups_def lookup being configured to include a list of AD groups along with a category to identify privileged groups. See splunkbase app listed in the references for further details.
known_false_positives:None
References:
  -https://splunkbase.splunk.com/app/6853
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Privilege Escalation'
    - 'Sneaky Active Directory Persistence Tricks'
  asset_type:Endpoint
  confidence:100
  impact:50
  message:$user$ was added to privileged AD Group $Group_Name$ by $src_user$
  mitre_attack_id:
    - 'T1098'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:50
  required_fields:
    - 'EventCode'
    - 'user'
    - 'src_user'
    - 'signature'
    - 'Group_Name'
    - 'dest'
  security_domain:identity
  manual_test:This search uses a lookup provided by Enterprise Security and needs to be manually tested.

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
  source: XmlWinEventLog:Security
  sourcetype: XmlWinEventLog
manual_test:None

Related Analytic Stories


Sneaky Active Directory Persistence Tricks

Active Directory Privilege Escalation

© 2024 DetectionCode Website. All Rights Reserved.