Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumstable

User Added to Local Administrator Group

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Mar 14Updated Sun Jan 17c265cf08-3f99-46c1-8d59-328247057d57windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection_eid:
        EventID: 4732
    selection_group:
        - TargetUserName|startswith: 'Administr'
        - TargetSid: 'S-1-5-32-544'
    filter_main_computer_accounts:
        SubjectUserName|endswith: '$'
    condition: all of selection_* and not 1 of filter_*
False Positives

Legitimate administrative activity

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
c265cf08-3f99-46c1-8d59-328247057d57
Status
stable
Level
medium
Type
Detection
Created
Tue Mar 14
Modified
Sun Jan 17
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml
Raw Tags
attack.initial-accessattack.defense-evasionattack.privilege-escalationattack.t1078attack.persistenceattack.t1098
View on GitHub