Standard User In High Privileged Group

 1title: Standard User In High Privileged Group
 2id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
 3status: test
 4description: Detect standard users login that are part of high privileged groups such as the Administrator group
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
 7    - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
 8    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
 9author: frack113
10date: 2023/01/13
11modified: 2023/05/05
12tags:
13    - attack.credential_access
14    - attack.privilege_escalation
15logsource:
16    product: windows
17    service: lsa-server
18    definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
19detection:
20    selection:
21        EventID: 300
22        TargetUserSid|startswith: 'S-1-5-21-' # Standard user
23        SidList|contains:
24            - 'S-1-5-32-544'    # Local admin
25            - '-500}'           # Domain admin
26            - '-518}'           # Schema admin
27            - '-519}'           # Enterprise admin
28    filter_main_admin:
29        TargetUserSid|endswith:
30            - '-500'           # Domain admin
31            - '-518'           # Schema admin
32            - '-519'           # Enterprise admin
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Standard domain users who are part of the administrator group.
36      These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
37level: medium

References

• Security identifiers

  

  This article discusses security identifiers (SIDs) for Windows Server accounts and groups and unique identifiers.

  
  Read More

• Configure added LSA protection

  

  Learn how to configure added protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

  
  Read More

• EVTX-ETW-Resources/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml at 7a806a148b3d9d381193d4a80356016e6e8b1ee8 · nasbench/EVTX-ETW-Resources

  

  Event Tracing For Windows (ETW) Resources. Contribute to nasbench/EVTX-ETW-Resources development by creating an account on GitHub.

  
  Read More

Related rules

• Suspicious NTLM Authentication on the Printer Spooler Service
• Suspicious SYSTEM User Process Creation
• HackTool - WinPwn Execution
• HackTool - WinPwn Execution - ScriptBlock
• Cisco BGP Authentication Failures