Enumeration of Privileged Local Groups Membership | Elastic Security Solution [8.1]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Enumeration of Kernel Modules Enumeration of Users or Groups via Built-in Commands »

Enumeration of Privileged Local Groups Membershipedit

Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.

Rule type: eql

Rule indices:

winlogbeat-*
logs-windows.*

Severity: medium

Risk score: 43

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Discovery

Version: 2 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Config

This will require Windows security event 4799 by enabling audit success for the Windows Account Management category and
the Security Group Management subcategory.

Rule queryedit

iam where event.action == "user-member-enumerated" and /* noisy and
usual legit processes excluded */ not
winlog.event_data.CallerProcessName:
("?:\\Windows\\System32\\VSSVC.exe",
"?:\\Windows\\System32\\SearchIndexer.exe",
"?:\\Windows\\System32\\CompatTelRunner.exe",
"?:\\Windows\\System32\\oobe\\msoobe.exe",
"?:\\Windows\\System32\\net1.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\Netplwiz.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\CloudExperienceHostBroker.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\SrTasks.exe",
"?:\\Windows\\System32\\lsass.exe",
"?:\\Windows\\System32\\diskshadow.exe",
"?:\\Windows\\System32\\dfsrs.exe", "?:\\Program
Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
/* privileged local groups */
(group.name:("admin*","RemoteDesktopUsers") or
winlog.event_data.TargetSid:("S-1-5-32-544","S-1-5-32-555"))

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Permission Groups Discovery
- ID: T1069
- Reference URL: https://attack.mitre.org/techniques/T1069/

Rule version historyedit

Version 2 (8.1.0 release)

Formatting only

« Enumeration of Kernel Modules Enumeration of Users or Groups via Built-in Commands »