Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Standard User In High Privileged Group

Detect standard users login that are part of high privileged groups such as the Administrator group

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Jan 13Updated Fri May 057ac407cc-0f48-4328-aede-de1d2e6fef41windows
Log Source
Windowslsa-server
ProductWindows← raw: windows
Servicelsa-server← raw: lsa-server

Definition

Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 300
        TargetUserSid|startswith: 'S-1-5-21-' # Standard user
        SidList|contains:
            - 'S-1-5-32-544'    # Local admin
            - '-500}'           # Domain admin
            - '-518}'           # Schema admin
            - '-519}'           # Enterprise admin
    filter_main_admin:
        TargetUserSid|endswith:
            - '-500'           # Domain admin
            - '-518'           # Schema admin
            - '-519'           # Enterprise admin
    condition: selection and not 1 of filter_main_*
False Positives

Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
7ac407cc-0f48-4328-aede-de1d2e6fef41
Status
test
Level
medium
Type
Detection
Created
Fri Jan 13
Modified
Fri May 05
Author
François Hubaut
Path
rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml
Raw Tags
attack.credential-accessattack.privilege-escalation
View on GitHub