Rule: User account added to local Administrators
This commit is contained in:
Florian Roth
@@ -0,0 +1,17 @@
|
||||
title: User Added to Local Administrators
|
||||
description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity
|
||||
status: stable
|
||||
author: Florian Roth
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4732
|
||||
GroupName: Administrators
|
||||
filter:
|
||||
SubjectAccountName: '*$'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Legitimate administrative activity
|
||||
level: low
|
||||
Reference in New Issue
Block a user