Windows Privileged Group Modification

Author: Brandon Sternfield, Optiv + ClearShark
Source: upstream

This analytic detects modifications to privileged groups in Active Directory, including addition, creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups. It specifically monitors for changes to high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", and "ESX Admins", among others. This detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1136.001` Create Account: Local Account, `T1136.002` Create Account: Domain Account

Event coverage

Provider	Event ID	Title
Security-Auditing	4727	A security-enabled global group was created.
Security-Auditing	4731	A security-enabled local group was created.
Security-Auditing	4744	A security-disabled local group was created.
Security-Auditing	4749	A security-disabled global group was created.
Security-Auditing	4754	A security-enabled universal group was created.
Security-Auditing	4756	A member was added to a security-enabled universal group.
Security-Auditing	4759	A security-disabled universal group was created.
Security-Auditing	4783	A basic application group was created.
Security-Auditing	4790	An LDAP query group was created.

Stages and Predicates

Stage 1: `search`

search EventCode IN (4727, 4731, 4744, 4749, 4754, 4756, 4759, 4783, 4790) TargetUserName IN ("Account Operators", "Administrators", "Admins DNS", "Backup Operators", "DnsAdmins", "Domain Admins", "ESX Admins", "ESXi Admins", "Enterprise Admins", "Enterprise Key Admins", "Group Policy Creator Owners", "Hyper-V Administrators", "Key Admins", "Print Operators", "Remote Desktop Users", "Remote Management Users", "Replicators", "Schema Admins", "Server Operators")

Stage 2: `eval`

eval ... using (EventCode)

Stage 3: `rename`

rename

Stage 4: `stats`

stats BY EventCode, src_user, object_category, object, object_path, dest, change_type, status

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`4727` corpus 3 (splunk 3) `4731` corpus 2 (splunk 2) `4744` `4749` `4754` `4756` `4759` `4783` `4790`
`TargetUserName`	in	`"Account Operators"` `"Administrators"` `"Admins DNS"` `"Backup Operators"` `"DnsAdmins"` `"Domain Admins"` `"ESX Admins"` `"ESXi Admins"` `"Enterprise Admins"` `"Enterprise Key Admins"` `"Group Policy Creator Owners"` `"Hyper-V Administrators"` `"Key Admins"` `"Print Operators"` `"Remote Desktop Users"` `"Remote Management Users"` `"Replicators"` `"Schema Admins"` `"Server Operators"`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

A Security-Enabled Global Group Was Deleted [sigma]
Windows ESX Admins Group Creation Security Event [splunk]
Windows Increase in Group or Object Modification Activity [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Windows Increase in Group or Object Modification Activity [splunk]