Detectionlowstable

A Member Was Added to a Security-Enabled Global Group

Detects activity when a member is added to a security-enabled global group

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alexandr Yampolskyi, SOC PrimeCreated Wed Apr 26c43c26be-2e87-46c7-8661-284588c5a53ewindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 4728 # A member was added to a security-enabled global group
            - 632 # Security Enabled Global Group Member Added
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

cisecurity.org

Resolving title…

pcisecuritystandards.org

Resolving title…

nvlpubs.nist.gov

Resolving title…

ultimatewindowssecurity.com

Resolving title…

ultimatewindowssecurity.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Techniques

T1098 · Account Manipulation

Related Rules

Similar

9cf01b6c-e723-4841-a868-6d7f8245ca6e

Rule not found

Rule Metadata

Rule ID

c43c26be-2e87-46c7-8661-284588c5a53e

Status

stable

Level

low

Type

Detection

Created

Wed Apr 26

Author

Alexandr Yampolskyi, SOC Prime

Path

rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1098

View on GitHub