Standard User In High Privileged Group

Severity: medium
Author: frack113
Source: upstream

Detect standard users login that are part of high privileged groups such as the Administrator group

Event coverage

Provider	Event ID	Title
LsaSrv	300	Groups assigned to a new logon.

Stages and Predicates

Stage 1: `selection`

or:
SidList|contains: '-500}'
SidList|contains: '-518}'
SidList|contains: '-519}'
SidList|contains: S-1-5-32-544
TargetUserSid|startswith: S-1-5-21-

Stage 2: `not 1 of filter_main_admin`

or:
TargetUserSid|endswith: -500
TargetUserSid|endswith: -518
TargetUserSid|endswith: -519

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`SidList`	match	`-500}` `-518}` `-519}` `S-1-5-32-544`
`TargetUserSid`	ends_with	`-500` corpus 2 (sigma 2) `-518` `-519`
`TargetUserSid`	starts_with	`S-1-5-21-` corpus 2 (sigma 2)