Detection rules › Splunk
Windows AD Privileged Group Modification
This detection identifies when users are added to privileged Active Directory groups by leveraging the Windows Security Event Code 4728 along with a lookup of privileged AD groups provided by Splunk Enterprise Security. Attackers often add user accounts to privileged AD groups to escalate privileges or maintain persistence within an Active Directory environment. Monitoring for modifications to privileged groups can help identify potential security breaches and unauthorized access attempts.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
| Privilege Escalation | T1098 Account Manipulation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4728 | A member was added to a security-enabled global group. |
Stages and Predicates
Stage 1: search
search EventCode=4728
Stage 2: stats
stats dc(user) AS usercount, … AS user, … AS user_category, … AS src_user_category, … AS dvc BY signature, Group_Name, src_user, dest
Stage 3: lookup
lookup <lookup> Group_Name, category, cn
Stage 4: where
where category="privileged"
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
category | eq |
|