heroui logo

Remove Account From Domain Admin Group

Sigma Rules

View Source
Summary
This detection rule focuses on identifying the removal of accounts from the Domain Admin group, which can be indicative of a malicious actor attempting to disrupt access for legitimate users. The detection logic involves monitoring PowerShell script blocks for specific commands that are associated with this action. Under normal circumstances, an account's removal from a critical group like Domain Admin should be tightly controlled and logged, as it can allow adversaries to inhibit availability of important network resources. The rule is designed to trigger when it detects the use of the 'Remove-ADGroupMember' PowerShell cmdlet, particularly when it is called with the parameters indicating the identity of the group and the members being removed. This is crucial for threat detection because such actions can lead to unauthorized access changes and should prompt a response from security teams to investigate the context and legitimacy of these operations.
Categories
  • Endpoint
  • Windows
Data Sources
  • Script
ATT&CK Techniques
  • T1531
Created: 2021-12-26