[Rule Tuning] User Added to Privileged Group
s-bt opened this issue · comments
Link to rule
Description
I've just started testing Elastic Security, and during my first test I have found that the rule User Added to Privileged Group
is using names instead of SIDs/RIDs. This is probelmatic for example in non-english environments. I would suggest switching to well known RIDs
Example Data
THIS RULE WILL ALSO INCLUDE CHANGES TO LOCAL GROUPS ON NON-DOMAIN CONTROLLER MACHINES, SO IDEALLY IT WILL TO BE FURTHER FILTERED TO RUN ONLY ON DOMAIN CONTROLLERS (IF THAT'S POSSIBLE). OTHERWISE, CREATE A NEW RULE THAT JUST CONTAINS THE DOMAIN SIDs
EQL
iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
group.name : ("Admin*",
"Local Administrators",
"Domain Admins",
"Enterprise Admins",
"Backup Admins",
"Schema Admins",
"DnsAdmins",
"Exchange Organization Administrators")
or group.id : (
// BUILTIN_ADMINISTRATORS
"S-1-5-32-544",
// ACCOUNT_OPERATORS
"S-1-5-32-548",
// SERVER_OPERATORS
"S-1-5-32-549",
// PRINTER_OPERATORS
"S-1-5-32-550",
// BACKUP_OPERATORS
"S-1-5-32-551",
// REMOTE_DESKTOP
"S-1-5-32-555",
// Domain Admins
"S-1-5-21-*-512",
// Domain Controllers
"S-1-5-21-*-516",
// Cert Publishers
"S-1-5-21-*-517",
// Schema Admins
"S-1-5-21-*-518",
// Enterprise Admins
"S-1-5-21-*-519",
// Key Admins
"S-1-5-21-*-526",
// Key Admins
"S-1-5-21-*-527"
)
Hey @s-bt, thanks for the contribution! Do you want to create a PR for this one? I can do it if you want
I wouldn't mind if you did :)
Made a mistake in the rule :(. It should be:
iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
(group.name : ("Admin*",
"Local Administrators",
"Domain Admins",
"Enterprise Admins",
"Backup Admins",
"Schema Admins",
"DnsAdmins",
"Exchange Domain Servers",
"Exchange Enterprise Servers",
"Exchange Organization Administrators")
or group.id : (
// BUILTIN_ADMINISTRATORS
"S-1-5-32-544",
// ACCOUNT_OPERATORS
"S-1-5-32-548",
// SERVER_OPERATORS
"S-1-5-32-549",
// PRINTER_OPERATORS
"S-1-5-32-550",
// BACKUP_OPERATORS
"S-1-5-32-551",
// REMOTE_DESKTOP
"S-1-5-32-555",
// Domain Admins
"S-1-5-21--512",
// Domain Controllers
"S-1-5-21--516",
// Cert Publishers
"S-1-5-21--517",
// Schema Admins
"S-1-5-21--518",
// Enterprise Admins
"S-1-5-21--519",
// Key Admins
"S-1-5-21--526",
// Key Admins
"S-1-5-21-*-527"
))
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.