Potential Admin Group Account Addition | Elastic Security Solution [8.10]

› › ›

« Potential Abuse of Repeated MFA Push Notifications Potential Antimalware Scan Interface Bypass via PowerShell »

Potential Admin Group Account Additionedit

Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.

Rule type: query

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/

Tags:

Domain: Endpoint
OS: macOS
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend

Version: 104

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

event.category:process and host.os.type:macos and event.type:(start or process_started) and
 process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append"))

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Local Accounts
- ID: T1078.003
- Reference URL: https://attack.mitre.org/techniques/T1078/003/

« Potential Abuse of Repeated MFA Push Notifications Potential Antimalware Scan Interface Bypass via PowerShell »