User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Sigma rule (View on GitHub)
1title: User Added to Remote Desktop Users Group
2id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
3related:
4 - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
5 type: similar
6 - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
7 type: similar
8status: test
9description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
10references:
11 - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
12author: Florian Roth (Nextron Systems)
13date: 2021-12-06
14modified: 2022-09-09
15tags:
16 - attack.initial-access
17 - attack.persistence
18 - attack.lateral-movement
19 - attack.t1133
20 - attack.t1136.001
21 - attack.t1021.001
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_main:
27 - CommandLine|contains|all:
28 - 'localgroup '
29 - ' /add'
30 - CommandLine|contains|all:
31 - 'Add-LocalGroupMember '
32 - ' -Group '
33 selection_group:
34 CommandLine|contains:
35 - 'Remote Desktop Users'
36 - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
37 - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
38 condition: all of selection_*
39falsepositives:
40 - Administrative activity
41level: high
References
Related rules
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt
- AWS Suspicious SAML Activity
- Admin User Remote Logon
- External Remote RDP Logon from Public IP