LoFP / administrative activity that must be investigated

Techniques

t1098

Sample rules

User Added To Highly Privileged Group

source: sigma
technicques:
- t1098

Description

Detects addition of users to highly privileged groups via “Net” or “Add-LocalGroupMember”.

Detection logic

condition: all of selection_*
selection_group:
  CommandLine|contains:
  - Group Policy Creator Owners
  - Schema Admins
selection_main:
- CommandLine|contains|all:
  - 'localgroup '
  - ' /add'
- CommandLine|contains|all:
  - 'Add-LocalGroupMember '
  - ' -Group '