[Rule Tuning] User Added to Privileged Group

[s-bt]

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

Description

I've just started testing Elastic Security, and during my first test I have found that the rule User Added to Privileged Group is using names instead of SIDs/RIDs. This is probelmatic for example in non-english environments. I would suggest switching to well known RIDs

Example Data

THIS RULE WILL ALSO INCLUDE CHANGES TO LOCAL GROUPS ON NON-DOMAIN CONTROLLER MACHINES, SO IDEALLY IT WILL TO BE FURTHER FILTERED TO RUN ONLY ON DOMAIN CONTROLLERS (IF THAT'S POSSIBLE). OTHERWISE, CREATE A NEW RULE THAT JUST CONTAINS THE DOMAIN SIDs

EQL

iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
  group.name : ("Admin*",
                "Local Administrators",
                "Domain Admins",
                "Enterprise Admins",
                "Backup Admins",
                "Schema Admins",
                "DnsAdmins",
                "Exchange Organization Administrators")
 or group.id : (
		// BUILTIN_ADMINISTRATORS
		"S-1-5-32-544",
		// ACCOUNT_OPERATORS
		"S-1-5-32-548",
		// SERVER_OPERATORS
		"S-1-5-32-549",
		// PRINTER_OPERATORS
		"S-1-5-32-550",
		// BACKUP_OPERATORS
		"S-1-5-32-551",
		// REMOTE_DESKTOP
		"S-1-5-32-555",
		// Domain Admins
		"S-1-5-21-*-512",
		// Domain Controllers
		"S-1-5-21-*-516",
		// Cert Publishers
		"S-1-5-21-*-517",
		// Schema Admins
		"S-1-5-21-*-518",
		// Enterprise Admins
		"S-1-5-21-*-519",
		// Key Admins
		"S-1-5-21-*-526",
		// Key Admins
		"S-1-5-21-*-527"
)

[w0rk3r]

Hey @s-bt, thanks for the contribution! Do you want to create a PR for this one? I can do it if you want

[s-bt]

I wouldn't mind if you did :)

[s-bt]

Made a mistake in the rule :(. It should be:

iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
(group.name : ("Admin*",
"Local Administrators",
"Domain Admins",
"Enterprise Admins",
"Backup Admins",
"Schema Admins",
"DnsAdmins",
"Exchange Domain Servers",
"Exchange Enterprise Servers",
"Exchange Organization Administrators")
or group.id : (
// BUILTIN_ADMINISTRATORS
"S-1-5-32-544",
// ACCOUNT_OPERATORS
"S-1-5-32-548",
// SERVER_OPERATORS
"S-1-5-32-549",
// PRINTER_OPERATORS
"S-1-5-32-550",
// BACKUP_OPERATORS
"S-1-5-32-551",
// REMOTE_DESKTOP
"S-1-5-32-555",
// Domain Admins
"S-1-5-21--512",
// Domain Controllers
"S-1-5-21--516",
// Cert Publishers
"S-1-5-21--517",
// Schema Admins
"S-1-5-21--518",
// Enterprise Admins
"S-1-5-21--519",
// Key Admins
"S-1-5-21--526",
// Key Admins
"S-1-5-21-*-527"
))

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[w0rk3r]

Resolved by #3763, thanks for bringing this to our attention