Active Directory Group Modification by SYSTEM

Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/06/26"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate
13that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting
14vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Active Directory Group Modification by SYSTEM"
21risk_score = 47
22rule_id = "6f024bde-7085-489b-8250-5957efdf1caf"
23severity = "medium"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Persistence",
29    "Use Case: Active Directory Monitoring",
30    "Data Source: Active Directory",
31    "Data Source: System",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37iam where winlog.api == "wineventlog" and event.code == "4728" and
38winlog.event_data.SubjectUserSid : "S-1-5-18" and
39
40/* DOMAIN_USERS and local groups */
41not group.id : "S-1-5-21-*-513"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1098"
49name = "Account Manipulation"
50reference = "https://attack.mitre.org/techniques/T1098/"
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1098"
62name = "Account Manipulation"
63reference = "https://attack.mitre.org/techniques/T1098/"
64
65
66[rule.threat.tactic]
67id = "TA0004"
68name = "Privilege Escalation"
69reference = "https://attack.mitre.org/tactics/TA0004/"

Related rules

to-top