Local Privileged Account Group Modification

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Modification of a local privileged account group includes actions such as adding or removing users from the groups or altering group policies or permissions.

Impact:

This can affect the organizations in the following ways:

• Compromise of sensitive data
• Risk of insider threats
• Increased risk of privilege escalation
• Unauthorized access to administrative interfaces

Data source:

Windows: Active Directory Groups, Active Directory Users

Required configuration: This rule is based on the event ID 4732 and the required policy is Security group management auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0003- Persistence, TA0004- Privilege Escalation

Techniques: T1098- Account Manipulation

Sub-techniques: T1098.001- Additional Cloud Credentials, T1098.002- Additional Email Delegate Permissions, T1098.003- Additional Cloud Roles, T1098.004-SSH Authorized Keys, T1098.005- Device Registration, T1098.006- Additional Container Cluster Roles

Criteria:

Group domain contains Builtin AND Groupname contains Administrators AND USERNAME notendswith $

This rule is triggered when a non privileged user account is added into a privileged group such as ''Administrators'' group within the ''Builtin'' container. In windows environment, the system accounts end with "$" and are used for services and other system-related functions. Hence, the criteria ''USERNAME notendswith $'' make sure that the accounts being checked are normal user accounts and not the system accounts.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

When this rule is triggered, you're notified when a non-privileged user is added to a privileged group. This enables you to review access and permissions, take corrective actions, and incorporate the least privilege policy.

Known false positives: This event might be generated due to an administrative action, such as when administrators may add or move users from privileged groups to ensure authorized users have the appropriate level of permissions.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement Principle of Least Privilege: Regularly review and ensure that privileged accounts have the required minimum level of permissions.