heroui logo

User Added To Highly Privileged Group

Sigma Rules

View Source
Summary
This detection rule identifies when a user is added to highly privileged groups within a Windows environment, utilizing the commands 'localgroup' or 'Add-LocalGroupMember'. The rule focuses on monitoring process creation events where the command line contains specific syntax indicating such an addition. In particular, the rule looks for two main command line patterns: one indicating that a user is added to a local group using 'localgroup' combined with the '/add' parameter, and the second indicating the use of 'Add-LocalGroupMember' for adding a user into a specified group. Furthermore, the rule is designed to flag instances where the addition involves highly sensitive groups such as 'Group Policy Creator Owners' or 'Schema Admins', which are critical to the security and configuration of the system. This rule is essential for detecting potential unauthorized elevation of privileges, which could point to malicious intent or post-exploitation activity. The requirement to investigate all detected actions is reinforced due to the potential for administrative activity that might be legitimate but could also signify compromise. The rule is set with a high reliability level due to the serious implications of unauthorized access to privileged groups.
Categories
  • Windows
  • Cloud
  • Infrastructure
Data Sources
  • Process
Created: 2024-02-23