← Library
sigmaDRL-1.1from SigmaHQ/sigma

Remove Account From Domain Admin Group

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1531
Rule sourcerules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Remove-ADGroupMember'
            - '-Identity '
            - '-Members '
    condition: selection
falsepositives:
    - Unknown
level: medium
Remove Account From Domain Admin Group · SIGMA rule | DetectionLint