Windows AD add Self to Group
Description
This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-12-18
- Author: Dean Luxton
- ID: 065f2701-b7ea-42f5-9ec4-fbc2261165f9
Annotations
Kill Chain Phase
- Installation
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
`wineventlog_security` EventCode IN (4728)
| where user=src_user
| stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user
| `windows_ad_add_self_to_group_filter`
Macros
The SPL above uses the following Macros:
windows_ad_add_self_to_group_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- EventCode
- user
- src_user
- signature
- Group_Name
How To Implement
This analytic requires eventCode 4728 to be ingested.
Known False Positives
Unknown
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 50.0 | 50 | 100 | $user$ added themselves to AD Group $Group_Name$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1