Detection rules › Sigma
A Member Was Added to a Security-Enabled Global Group
Detects activity when a member is added to a security-enabled global group
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
| Privilege Escalation | T1098 Account Manipulation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 632 | |
| Security-Auditing | 4728 | A member was added to a security-enabled global group. |
Stages and Predicates
Stage 1: selection
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- User Added to Privileged Group in Active Directory
- Add or Remove Computer from DC
- Addition of SID History to Active Directory Object
- Detect New Local Admin account
- Windows AD Cross Domain SID History Addition
- Windows AD Privileged Account SID History Addition
- Windows AD Same Domain SID History Addition
- Windows Increase in User Modification Activity