standard domain users who are part of the administrator group. these users shouldn't have these right. but in the case where it's necessary. they should be filtered out using the \"targetusername\" field

windows
sigma

Techniques

Sample rules

Standard User In High Privileged Group

source: sigma
technicques:

Description

Detect standard users login that are part of high privileged groups such as the Administrator group

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_admin:
  TargetUserSid|endswith:
  - '-500'
  - '-518'
  - '-519'
selection:
  EventID: 300
  SidList|contains:
  - S-1-5-32-544
  - -500}
  - -518}
  - -519}
  TargetUserSid|startswith: S-1-5-21-