User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
Sigma rule (View on GitHub)
1title: User Added to Local Administrators Group
2id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
3related:
4 - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
5 type: similar
6 - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
7 type: similar
8status: test
9description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
10references:
11 - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-12
14modified: 2023-03-02
15tags:
16 - attack.privilege-escalation
17 - attack.persistence
18 - attack.t1098
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_main:
24 - CommandLine|contains|all:
25 # net.exe
26 - 'localgroup '
27 - ' /add'
28 - CommandLine|contains|all:
29 # powershell.exe
30 - 'Add-LocalGroupMember '
31 - ' -Group '
32 selection_group:
33 CommandLine|contains:
34 - ' administrators '
35 - ' administrateur' # Typo without an 'S' so we catch both
36 condition: all of selection_*
37falsepositives:
38 - Administrative activity
39level: medium
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys