Detection rules › Kusto Query Language

User account added to built in domain local or global group

Author: Microsoft Security Research
Source: upstream

'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.'

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Persistence	`T1078` Valid Accounts, `T1098` Account Manipulation
Privilege Escalation	`T1078` Valid Accounts, `T1098` Account Manipulation
Defense Evasion	`T1078` Valid Accounts

Event coverage

Provider	Event ID	Title
Security-Auditing	4728	A member was added to a security-enabled global group.
Security-Auditing	4732	A member was added to a security-enabled local group.
Security-Auditing	4756	A member was added to a security-enabled universal group.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches

User account added to built in domain local or global group

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`

Stage 6: `project-away`

Keyboard Shortcuts

User account added to built in domain local or global group

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: extend

Stage 4: extend

Stage 5: extend

Stage 6: project-away

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`

Stage 6: `project-away`