User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
Sigma rule (View on GitHub)
1title: User Added To Highly Privileged Group
2id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
3related:
4 - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
5 type: similar
6 - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
7 type: similar
8status: test
9description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
10references:
11 - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2024-02-23
14tags:
15 - attack.persistence
16 - attack.t1098
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_main:
22 - CommandLine|contains|all:
23 # net.exe
24 - 'localgroup '
25 - ' /add'
26 - CommandLine|contains|all:
27 # powershell.exe
28 - 'Add-LocalGroupMember '
29 - ' -Group '
30 selection_group:
31 CommandLine|contains:
32 - 'Group Policy Creator Owners'
33 - 'Schema Admins'
34 condition: all of selection_*
35falsepositives:
36 - Administrative activity that must be investigated
37level: high
References
-
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys