splApache-2.0from splunk/security_content
Windows AD Privileged Group Modification
This detection identifies when users are added to privileged Active Directory groups by leveraging the Windows Security Event Code 4728 along with a lookup of privileged AD groups provided by Splunk Enterprise Security. Attackers often add user accounts to privileged AD groups to escalate privileges or maintain persistence within an Active Directory environment. Monitoring for modifications to privileged groups can help identify potential security breaches and unauthorized access attempts.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_privileged_group_modification.yml
`wineventlog_security` EventCode IN (4728)
| stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc
BY signature, Group_Name,src_user dest
| lookup admon_groups_def cn as Group_Name OUTPUT category
| where category="privileged"
| `windows_ad_privileged_group_modification_filter`