Enumeration of Privileged Local Groups Membership

edit

Enumeration of Privileged Local Groups Membership

edit

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 43

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Discovery

Version: 1

Added (Elastic Stack release): 8.0.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Config

This will require Windows security event 4799 by enabling audit success for the windows Account Management category and
the Security Group Management subcategory.

Rule query

edit
iam where event.action == "user-member-enumerated" and /* noisy and
usual legit processes excluded */ not
winlog.event_data.CallerProcessName:
("?:\\Windows\\System32\\VSSVC.exe",
"?:\\Windows\\System32\\SearchIndexer.exe",
"?:\\Windows\\System32\\CompatTelRunner.exe",
"?:\\Windows\\System32\\oobe\\msoobe.exe",
"?:\\Windows\\System32\\net1.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\Netplwiz.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\CloudExperienceHostBroker.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\SrTasks.exe",
"?:\\Windows\\System32\\lsass.exe",
"?:\\Windows\\System32\\diskshadow.exe",
"?:\\Windows\\System32\\dfsrs.exe", "?:\\Program
Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
/* privileged local groups */
(group.name:("admin*","RemoteDesktopUsers") or
winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555"))

Threat mapping

edit

Framework: MITRE ATT&CKTM