User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
Sigma rule (View on GitHub)
1title: User Added to Local Administrators Group
2id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
3related:
4 - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
5 type: similar
6 - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
7 type: similar
8status: test
9description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
10references:
11 - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-12
14modified: 2023-03-02
15tags:
16 - attack.privilege-escalation
17 - attack.persistence
18 - attack.t1098
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_main:
24 - CommandLine|contains|all:
25 # net.exe
26 - 'localgroup '
27 - ' /add'
28 - CommandLine|contains|all:
29 # powershell.exe
30 - 'Add-LocalGroupMember '
31 - ' -Group '
32 selection_group:
33 CommandLine|contains:
34 - ' administrators '
35 - ' administrateur' # Typo without an 'S' so we catch both
36 condition: all of selection_*
37falsepositives:
38 - Administrative activity
39level: medium
References
-
Update History Aug. 10, 2022 Adding clarifying details on activity involving active directory. Aug. 10, 2022 Update made to the Cisco Response and Recommendations section related to MFA.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys