splApache-2.0from splunk/security_content
Windows AD add Self to Group
This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, which could be part of a larger attack strategy aimed at compromising critical systems and data.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_add_self_to_group.yml
`wineventlog_security` EventCode IN (4728)
| where user=src_user
| stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc
BY signature, Group_Name, src_user,
dest
| `windows_ad_add_self_to_group_filter`