User Added to Remote Desktop Users Group

Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".

Sigma rule (View on GitHub)

 1title: User Added to Remote Desktop Users Group
 2id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
 3related:
 4    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
 5      type: similar
 6    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
 7      type: similar
 8status: test
 9description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
10references:
11    - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
12author: Florian Roth (Nextron Systems)
13date: 2021/12/06
14modified: 2022/09/09
15tags:
16    - attack.persistence
17    - attack.lateral_movement
18    - attack.t1133
19    - attack.t1136.001
20    - attack.t1021.001
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_main:
26        - CommandLine|contains|all:
27              - 'localgroup '
28              - ' /add'
29        - CommandLine|contains|all:
30              - 'Add-LocalGroupMember '
31              - ' -Group '
32    selection_group:
33        CommandLine|contains:
34            - 'Remote Desktop Users'
35            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
36            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
37    condition: all of selection_*
38falsepositives:
39    - Administrative activity
40level: high

References

Related rules

to-top