User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
Sigma rule (View on GitHub)
1title: User Added to Local Administrators Group
2id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
3related:
4 - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
5 type: similar
6 - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
7 type: similar
8status: test
9description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
10references:
11 - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-12
14modified: 2023-03-02
15tags:
16 - attack.persistence
17 - attack.t1098
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_main:
23 - CommandLine|contains|all:
24 # net.exe
25 - 'localgroup '
26 - ' /add'
27 - CommandLine|contains|all:
28 # powershell.exe
29 - 'Add-LocalGroupMember '
30 - ' -Group '
31 selection_group:
32 CommandLine|contains:
33 - ' administrators '
34 - ' administrateur' # Typo without an 'S' so we catch both
35 condition: all of selection_*
36falsepositives:
37 - Administrative activity
38level: medium
References
-
Update History Aug. 10, 2022 Adding clarifying details on activity involving active directory. Aug. 10, 2022 Update made to the Cisco Response and Recommendations section related to MFA.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys