Detection rules › Kusto

Account added and removed from privileged groups

Severity
low
Time window
1d
Group by
AccountAdded_GroupAddedTo_AddingAccount, AccountRemoved_GroupRemovedFrom_RemovingAccount
Author
Microsoft Security Research
Source
github.com/Azure/Azure-Sentinel

Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.

MITRE ATT&CK coverage

Event coverage

Rule body kusto

id: 7efc75ce-e2a4-400f-a8b1-283d3b0f2c60
name: Account added and removed from privileged groups
description: |
  'Identifies accounts that are added to a privileged group and then quickly removed, which could be a sign of compromise.'
severity: Low
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsForwardedEvents
    dataTypes:
      - WindowsEvent
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - PrivilegeEscalation
relevantTechniques:
  - T1098
  - T1078
query: |
  let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
  let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
  let AC_Add =
  (union isfuzzy=true
  (SecurityEvent
  // Event ID related to member addition.
  | where EventID in (4728, 4732,4756)
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
  | parse EventData with * '"MemberName">' * '=' AccountAdded ",OU" *
  | where isnotempty(AccountAdded)
  | extend GroupAddedTo = TargetUserName, AddingAccount = Account
  | extend  AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
  | project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated
  ),
  (WindowsEvent
  // Event ID related to member addition.
  | where EventID in (4728, 4732,4756)
  | extend TargetSid = tostring(EventData.TargetSid)
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
  | parse EventData.MemberName with * '"MemberName">' * '=' AccountAdded ",OU" *
  | where isnotempty(AccountAdded)
  | extend TargetUserName = tostring(EventData.TargetUserName)
  | extend AddingAccount =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend GroupAddedTo = TargetUserName
  | extend  AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
  | project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated
  )
  );
  let AC_Remove =
  ( union isfuzzy=true
  (SecurityEvent
  // Event IDs related to member removal.
  | where EventID in (4729,4733,4757)
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
  | parse EventData with * '"MemberName">' * '=' AccountRemoved ",OU" *
  | where isnotempty(AccountRemoved)
  | extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account
  | extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
  | project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
  RemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
  ),
  (WindowsEvent
  // Event IDs related to member removal.
  | where EventID in (4729,4733,4757)
  | extend TargetSid = tostring(EventData.TargetSid)
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
  | parse EventData.MemberName with * '"MemberName">' * '=' AccountRemoved ",OU" *
  | where isnotempty(AccountRemoved)
  | extend TargetUserName = tostring(EventData.TargetUserName)
  | extend RemovingAccount =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend GroupRemovedFrom = TargetUserName
  | extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
  | extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)
  | extend TargetDomainName = tostring(EventData.TargetDomainName)
  | project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
  RemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
  ));
  AC_Add
  | join kind = inner AC_Remove 
  on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount
  | extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)
  | where DurationinSecondAfter_Removed > 0
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend RemovedAccountName = tostring(split(AccountRemoved, @"\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @"\")[0])
  | extend RemovingAccountName = tostring(split(RemovingAccount, @"\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @"\")[0])
  | project-away DomainIndex
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountRemoved
      - identifier: Name
        columnName: RemovedAccountName
      - identifier: NTDomain
        columnName: RemovedAccountNTDomain
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: RemovingAccount
      - identifier: Name
        columnName: RemovingAccountName
      - identifier: NTDomain
        columnName: RemovingAccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
        columnName: HostNameDomain
version: 1.1.5
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Microsoft Security Research
    support:
        tier: Community
    categories:
        domains: [ "Security - Others", "Identity" ]

Stages and Predicates

Stage 0: let

let WellKnownLocalSID = "S-1-5-32-5[0-9][0-9]$";
let WellKnownGroupSID = "S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$";
let AC_Add = (union <inlined as stages below>;
let AC_Remove =
( union isfuzzy=true
(SecurityEvent
| where EventID in (4729,4733,4757)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData with * '"MemberName">' * '=' AccountRemoved ",OU" *
| where isnotempty(AccountRemoved)
| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account
| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
RemovingAccount, RemovingAccountLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
),
(WindowsEvent
| where EventID in (4729,4733,4757)
| extend TargetSid = tostring(EventData.TargetSid)
| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
| parse EventData.MemberName with * '"MemberName">' * '=' AccountRemoved ",OU" *
| where isnotempty(AccountRemoved)
| extend TargetUserName = tostring(EventData.TargetUserName)
| extend RemovingAccount =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend GroupRemovedFrom = TargetUserName
| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
| extend RemovedAccountLogonId= tostring(EventData.SubjectLogonId)
| extend TargetDomainName = tostring(EventData.TargetDomainName)
| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, AccountRemoved = tolower(AccountRemoved),
RemovingAccount, RemovedAccountLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName
));

Stage 1: source

let AC_Add

Stage 2: source

let AC_Remove

Stage 3: union

union isfuzzy=true

Stage 4: source time_window=86400s

SecurityEvent

Stage 5: where

| where EventID in (4728, 4732,4756)

Stage 6: where

| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID

Stage 7: parse

| parse EventData with * '"MemberName">' * '=' AccountAdded ",OU" *

Stage 8: where

| where isnotempty(AccountAdded)

Stage 9: extend

| extend GroupAddedTo = TargetUserName, AddingAccount = Account

Stage 10: extend

| extend  AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )

Stage 11: project

| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated

Stage 12: source

WindowsEvent

Stage 13: where

| where EventID in (4728, 4732,4756)

Stage 14: extend

| extend TargetSid = tostring(EventData.TargetSid)

Stage 15: where

| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID

Stage 16: parse

| parse EventData.MemberName with * '"MemberName">' * '=' AccountAdded ",OU" *

Stage 17: where

| where isnotempty(AccountAdded)

Stage 18: extend

| extend TargetUserName = tostring(EventData.TargetUserName)

Stage 19: extend

| extend AddingAccount =  strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))

Stage 20: extend

| extend GroupAddedTo = TargetUserName

Stage 21: extend

| extend  AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )

Stage 22: project

| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated

Stage 23: join

| join kind = inner AC_Remove 
on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount

Stage 24: extend

| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)

Stage 25: where

| where DurationinSecondAfter_Removed > 0

Stage 26: extend

| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))

Stage 27: extend

| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)

Stage 28: extend

| extend RemovedAccountName = tostring(split(AccountRemoved, @"\")[1]), RemovedAccountNTDomain = tostring(split(AccountRemoved, @"\")[0])

Stage 29: extend

| extend RemovingAccountName = tostring(split(RemovingAccount, @"\")[1]), RemovingAccountNTDomain = tostring(split(RemovingAccount, @"\")[0])

Stage 30: project-away

| project-away DomainIndex

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccountAddedis_not_null
  • (no value, null check)
AccountRemovedis_not_null
  • (no value, null check)
DurationinSecondAfter_Removedgt
  • 0 transforms: cased
EventIDin
  • 4728 corpus 3 (splunk 3)
  • 4729
  • 4732 corpus 4 (splunk 3, kusto 1)
  • 4733
  • 4756
  • 4757
TargetSidregex_match
    • S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$
    • S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$
    • S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$
    • S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$
    • S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$
    corpus 3 (kusto 3)
  • S-1-5-32-5[0-9][0-9]$ corpus 3 (kusto 3)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
AccountAddedTimeproject
AccountAdded_GroupAddedTo_AddingAccountproject
DurationinSecondAfter_Removedextend
HostNameextend
HostNameDomainextend
RemovedAccountNTDomainextend
RemovedAccountNameextend
RemovingAccountNTDomainextend
RemovingAccountNameextend