Standard User In High Privileged Group

Detect standard users login that are part of high privileged groups such as the Administrator group

Sigma rule (View on GitHub)

 1title: Standard User In High Privileged Group
 2id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
 3status: experimental
 4description: Detect standard users login that are part of high privileged groups such as the Administrator group
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
 7    - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
 8    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
 9author: frack113
10date: 2023/01/13
11modified: 2023/05/05
12tags:
13    - attack.credential_access
14    - attack.privilege_escalation
15logsource:
16    product: windows
17    service: lsa-server
18    definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
19detection:
20    selection:
21        EventID: 300
22        TargetUserSid|startswith: 'S-1-5-21-' # Standard user
23        SidList|contains:
24            - 'S-1-5-32-544'    # Local admin
25            - '-500}'           # Domain admin
26            - '-518}'           # Schema admin
27            - '-519}'           # Enterprise admin
28    filter_main_admin:
29        TargetUserSid|endswith:
30            - '-500'           # Domain admin
31            - '-518'           # Schema admin
32            - '-519'           # Enterprise admin
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Standard domain users who are part of the administrator group.
36      These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
37level: medium

References

Related rules

to-top