Detection rules › Kusto Query Language

New user created and added to the built-in administrators group

Author: Microsoft Security Research
Source: upstream

'Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.'

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Persistence	`T1078` Valid Accounts, `T1098` Account Manipulation
Privilege Escalation	`T1078` Valid Accounts, `T1098` Account Manipulation
Defense Evasion	`T1078` Valid Accounts

Event coverage

Provider	Event ID	Title
Security-Auditing	4720	A user account was created.
Security-Auditing	4732	A member was added to a security-enabled local group.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches

New user created and added to the built-in administrators group

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `join`

Stage 4: `project`

Stage 5: `extend`

Stage 6: `extend`

Stage 7: `project-away`

Keyboard Shortcuts

New user created and added to the built-in administrators group

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: join

Stage 4: project

Stage 5: extend

Stage 6: extend

Stage 7: project-away

Stage 1: `source`

Stage 2: `union`

Stage 3: `join`

Stage 4: `project`

Stage 5: `extend`

Stage 6: `extend`

Stage 7: `project-away`