[Rule Tuning] User Added to Privileged Group

Question

[Rule Tuning] User Added to Privileged Group

s-bt opened this issue 4 months ago · comments

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

Description

I've just started testing Elastic Security, and during my first test I have found that the rule User Added to Privileged Group is using names instead of SIDs/RIDs. This is probelmatic for example in non-english environments. I would suggest switching to well known RIDs

Example Data

THIS RULE WILL ALSO INCLUDE CHANGES TO LOCAL GROUPS ON NON-DOMAIN CONTROLLER MACHINES, SO IDEALLY IT WILL TO BE FURTHER FILTERED TO RUN ONLY ON DOMAIN CONTROLLERS (IF THAT'S POSSIBLE). OTHERWISE, CREATE A NEW RULE THAT JUST CONTAINS THE DOMAIN SIDs

EQL

iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
  group.name : ("Admin*",
                "Local Administrators",
                "Domain Admins",
                "Enterprise Admins",
                "Backup Admins",
                "Schema Admins",
                "DnsAdmins",
                "Exchange Organization Administrators")
 or group.id : (
		// BUILTIN_ADMINISTRATORS
		"S-1-5-32-544",
		// ACCOUNT_OPERATORS
		"S-1-5-32-548",
		// SERVER_OPERATORS
		"S-1-5-32-549",
		// PRINTER_OPERATORS
		"S-1-5-32-550",
		// BACKUP_OPERATORS
		"S-1-5-32-551",
		// REMOTE_DESKTOP
		"S-1-5-32-555",
		// Domain Admins
		"S-1-5-21-*-512",
		// Domain Controllers
		"S-1-5-21-*-516",
		// Cert Publishers
		"S-1-5-21-*-517",
		// Schema Admins
		"S-1-5-21-*-518",
		// Enterprise Admins
		"S-1-5-21-*-519",
		// Key Admins
		"S-1-5-21-*-526",
		// Key Admins
		"S-1-5-21-*-527"
)

Jonhnathan · Answer 1 · Fri Jan 12 2024 22:28:49 GMT+0800 (China Standard Time)

Hey @s-bt, thanks for the contribution! Do you want to create a PR for this one? I can do it if you want

s-bt · Answer 2 · Sat Jan 13 2024 02:56:54 GMT+0800 (China Standard Time)

I wouldn't mind if you did :)

s-bt · Answer 3 · Mon Jan 22 2024 20:45:33 GMT+0800 (China Standard Time)

Made a mistake in the rule :(. It should be:

iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
(group.name : ("Admin*",
"Local Administrators",
"Domain Admins",
"Enterprise Admins",
"Backup Admins",
"Schema Admins",
"DnsAdmins",
"Exchange Domain Servers",
"Exchange Enterprise Servers",
"Exchange Organization Administrators")
or group.id : (
// BUILTIN_ADMINISTRATORS
"S-1-5-32-544",
// ACCOUNT_OPERATORS
"S-1-5-32-548",
// SERVER_OPERATORS
"S-1-5-32-549",
// PRINTER_OPERATORS
"S-1-5-32-550",
// BACKUP_OPERATORS
"S-1-5-32-551",
// REMOTE_DESKTOP
"S-1-5-32-555",
// Domain Admins
"S-1-5-21--512",
// Domain Controllers
"S-1-5-21--516",
// Cert Publishers
"S-1-5-21--517",
// Schema Admins
"S-1-5-21--518",
// Enterprise Admins
"S-1-5-21--519",
// Key Admins
"S-1-5-21--526",
// Key Admins
"S-1-5-21-*-527"
))

botelastic · Answer 4 · Fri Mar 22 2024 21:29:17 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.