Standard User In High Privileged Group
Detect standard users login that are part of high privileged groups such as the Administrator group
Sigma rule (View on GitHub)
1title: Standard User In High Privileged Group
2id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
3status: test
4description: Detect standard users login that are part of high privileged groups such as the Administrator group
5references:
6 - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
7 - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
8 - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
9author: frack113
10date: 2023/01/13
11modified: 2023/05/05
12tags:
13 - attack.credential_access
14 - attack.privilege_escalation
15logsource:
16 product: windows
17 service: lsa-server
18 definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
19detection:
20 selection:
21 EventID: 300
22 TargetUserSid|startswith: 'S-1-5-21-' # Standard user
23 SidList|contains:
24 - 'S-1-5-32-544' # Local admin
25 - '-500}' # Domain admin
26 - '-518}' # Schema admin
27 - '-519}' # Enterprise admin
28 filter_main_admin:
29 TargetUserSid|endswith:
30 - '-500' # Domain admin
31 - '-518' # Schema admin
32 - '-519' # Enterprise admin
33 condition: selection and not 1 of filter_main_*
34falsepositives:
35 - Standard domain users who are part of the administrator group.
36 These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
37level: medium
References
Related rules
- Suspicious NTLM Authentication on the Printer Spooler Service
- Suspicious SYSTEM User Process Creation
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Cisco BGP Authentication Failures