Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Sigma rule (View on GitHub)
1title: Remove Account From Domain Admin Group
2id: 48a45d45-8112-416b-8a67-46e03a4b2107
3status: test
4description: |
5 Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
6 Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
9author: frack113
10date: 2021/12/26
11tags:
12 - attack.impact
13 - attack.t1531
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - 'Remove-ADGroupMember'
22 - '-Identity '
23 - '-Members '
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Okta User Account Locked Out
- Replace Desktop Wallpaper by Powershell
- Suspicious Creation TXT File in User Desktop
- Cisco Denial of Service
- Cisco File Deletion