Potential Admin Group Account Addition | Elastic Security Solution [8.4]

› › ›

« Potential Abuse of Repeated MFA Push Notifications Potential Application Shimming via Sdbinst »

Potential Admin Group Account Additionedit

Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.

Rule type: query

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/

Tags:

Elastic
Host
macOS
Threat Detection
Privilege Escalation

Version: 2 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

event.category:process and event.type:(start or process_started) and
process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin"
or admin) and ("-a" or "-append"))

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

Rule version historyedit

Version 2 (8.4.0 release)

Formatting only

« Potential Abuse of Repeated MFA Push Notifications Potential Application Shimming via Sdbinst »