Detectionlowstable

A Member Was Removed From a Security-Enabled Global Group

Detects activity when a member is removed from a security-enabled global group

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alexandr Yampolskyi, SOC PrimeCreated Wed Apr 2602c39d30-02b5-45d2-b435-8aebfe5a8629windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 633 # Security Enabled Global Group Member Removed
            - 4729 # A member was removed from a security-enabled global group
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

cisecurity.org

Resolving title…

pcisecuritystandards.org

Resolving title…

nvlpubs.nist.gov

Resolving title…

ultimatewindowssecurity.com

Resolving title…

ultimatewindowssecurity.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Techniques

T1098 · Account Manipulation

Related Rules

Similar

9cf01b6c-e723-4841-a868-6d7f8245ca6e

Rule not found

Rule Metadata

Rule ID

02c39d30-02b5-45d2-b435-8aebfe5a8629

Status

stable

Level

low

Type

Detection

Created

Wed Apr 26

Author

Alexandr Yampolskyi, SOC Prime

Path

rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1098

View on GitHub