User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
Sigma rule (View on GitHub)
1title: User Added To Highly Privileged Group
2id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
3related:
4 - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
5 type: similar
6 - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
7 type: similar
8status: test
9description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
10references:
11 - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2024-02-23
14tags:
15 - attack.privilege-escalation
16 - attack.persistence
17 - attack.t1098
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_main:
23 - CommandLine|contains|all:
24 # net.exe
25 - 'localgroup '
26 - ' /add'
27 - CommandLine|contains|all:
28 # powershell.exe
29 - 'Add-LocalGroupMember '
30 - ' -Group '
31 selection_group:
32 CommandLine|contains:
33 - 'Group Policy Creator Owners'
34 - 'Schema Admins'
35 condition: all of selection_*
36falsepositives:
37 - Administrative activity that must be investigated
38level: high
References
-
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys