Detectionlowstable

A Security-Enabled Global Group Was Deleted

Detects activity when a security-enabled global group is deleted

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alexandr Yampolskyi, SOC PrimeCreated Wed Apr 26b237c54b-0f15-4612-a819-44b735e0de27windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 4730 # A security-enabled global group was deleted
            - 634 # Security Enabled Global Group Deleted
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

cisecurity.org

Resolving title…

pcisecuritystandards.org

Resolving title…

nvlpubs.nist.gov

Resolving title…

ultimatewindowssecurity.com

Resolving title…

ultimatewindowssecurity.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Techniques

T1098 · Account Manipulation

Related Rules

Similar

9cf01b6c-e723-4841-a868-6d7f8245ca6e

Rule not found

Rule Metadata

Rule ID

b237c54b-0f15-4612-a819-44b735e0de27

Status

stable

Level

low

Type

Detection

Created

Wed Apr 26

Author

Alexandr Yampolskyi, SOC Prime

Path

rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1098

View on GitHub