Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Sigma rule (View on GitHub)
1title: Remove Account From Domain Admin Group
2id: 48a45d45-8112-416b-8a67-46e03a4b2107
3status: test
4description: |
5 Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
6 Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
9author: frack113
10date: 2021-12-26
11tags:
12 - attack.impact
13 - attack.t1531
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - 'Remove-ADGroupMember'
22 - '-Identity '
23 - '-Members '
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AWS ElastiCache Security Group Modified or Deleted
- Azure Kubernetes Service Account Modified or Deleted
- Google Cloud Service Account Disabled or Deleted
- Group Has Been Deleted Via Groupdel
- Okta User Account Locked Out