diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 880657782..01f95b37a 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/03/28" [rule] author = ["Elastic"] @@ -14,7 +14,46 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Port Forwarding Rule Addition" -note = """## Config +note = """## Triage and analysis + +### Investigating Port Forwarding Rule Addition + +Network port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to +any other port number, or even to a port on a remote computer. + +Attackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box +to access previously unreachable systems. + +This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check for similar behavior in other hosts in the environment. +- Identify the target host IP address, verify if connections were made from the host where the modification occurred, +and which credentials were used. + - Investigate suspicious login activity, such as unauthorized access, logins outside working hours, and from unusual locations. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity +and there are justifications for this configuration. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Delete the port forwarding rule. +- Isolate the involved host to prevent further post-compromise behavior. +- If potential malware or credential compromise activities were discovered during the triage of the alert, activate the +respective incident response plan. + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 136b6fc4a..a005c2a26 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -14,7 +14,45 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" -note = """## Config +note = """## Triage and analysis + +### Investigating Potential Remote Desktop Tunneling Detected + +Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, +ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would +filter to reach its destination. + +Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP +connections but may be more permissive to other protocols. + +This rule looks for command lines involving the `3389` port, which RDP uses by default, and options commonly associated +with tools that perform tunneling. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if the activity is unique by validating if other machines in the organization have similar entries. +- Examine network data to determine if the host communicated with external servers using the tunnel. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Take actions to disable the tunneling. +- Investigate the initial attack vector. + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index b67f33921..22a80fa3b 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -14,7 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via Desktopimgdownldr Utility" -note = """## Config +note = """## Triage and analysis + +### Investigating Remote File Download via Desktopimgdownldr Utility + +Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +and control channel. However, they can also abuse signed utilities to drop these files. + +The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, but can be abused with the +`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if the activity is unique by validating if other machines in the organization have similar entries. +- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file +from an internal system. +- Retrieve the file and determine if it is malicious: + - Identify the file type. + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions +if necessary. +- Analysts can dismiss the alert if the downloaded file is a legitimate image. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Investigate the initial attack vector. + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index c9c419f54..8c4ebc02a 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -14,8 +14,49 @@ name = "Remote File Download via MpCmdRun" note = """## Triage and analysis ### Investigating Remote File Download via MpCmdRun + +Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +and control channel. However, they can also abuse signed utilities to drop these files. + +The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows +Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, +including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the reputation of the domain or IP address used to host the downloaded file. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Investigate the initial attack vector. Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`. + ## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index fea7a401c..d6dcd41e8 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/10/17" +updated_date = "2022/03/28" [rule] author = ["Elastic"] @@ -11,6 +11,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via PowerShell" +note = """## Triage and analysis + +### Investigating Remote File Download via PowerShell + +Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +and control channel. However, they can also abuse signed utilities to drop these files. + +PowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it +available for use in various environments and creates an attractive way for attackers to execute code and perform +actions. This rule correlates network and file events to detect downloads of executable and script files performed using +PowerShell. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action and whether it should perform this kind of action. +- Consider whether the user needs PowerShell to complete its tasks. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the reputation of the domain or IP address used to host the downloaded file. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert +if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Investigate the initial attack vector. +""" risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" severity = "medium" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 21ff66aea..07eee5d2a 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -11,7 +11,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote File Copy via TeamViewer" -note = """## Config +note = """## Triage and analysis + +### Investigating Remote File Copy via TeamViewer + +Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +and control channel. However, they can also abuse legitimate utilities to drop these files. + +TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various +support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other +malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Contact the user to gather information about who and why was conducting the remote access. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this +access. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct +remote access and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index b9cd5a364..4392d0ea7 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -11,10 +11,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" -note = """## Config +note = """## Triage and analysis + +### Investigating Adobe Hijack Persistence + +Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched +whenever Adobe Acrobat Reader is executed. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check for similar behavior in other hosts in the environment. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ +references = [ + "https://twitter.com/pabraeken/status/997997818362155008", +] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 732fb9f9d..fd08911f6 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -15,7 +15,54 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Modification of Accessibility Binaries" -note = """## Config +note = """## Triage and analysis + +### Investigating Potential Modification of Accessibility Binaries + +Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by +accessibility features. Windows contains accessibility features that may be launched with a key combination before a +user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs +are launched to get a command prompt or backdoor without logging in to the system. + +More details can be found [here](https://attack.mitre.org/techniques/T1546/008/). + +This rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features +binaries' original file names, which is likely a custom binary deployed by the attacker. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check for similar behavior in other hosts in the environment. +- Retrieve the file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive +(B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 40c38adf4..cbea2b74b 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -14,7 +14,41 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "System Shells via Services" -note = """## Config +note = """## Triage and analysis + +### Investigating System Shells via Services + +Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from +administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads. + +This rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify how the service was created or modified (Look for registry changes events or Windows events related to +service activities (i.e., 4697 and/or 7045)). + - Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check for similar behavior in other hosts in the environment. +- Check for commands executed under the spawned shell. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive +(B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Delete the service or restore it to the original configuration. +- Investigate the initial attack vector. + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 138698388..46def9e74 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -15,7 +15,39 @@ index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"] language = "eql" license = "Elastic License v2" name = "User Added to Privileged Group in Active Directory" -note = """## Config +note = """## Triage and analysis + +### Investigating User Added to Privileged Group in Active Directory + +Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are +granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. + +Attackers can add users to privileged groups to maintain their level of access if other privileged accounts they do have +access to get uncovered by the security team. This way, they can continue their operations even after the discovery of +an abused account. + +This rule monitors events related to the addition of a user to one of the privileged groups. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should manage members of this group. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user during the past 48 hours. + +### False positive analysis + +- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is +legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account +this level of privilege. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the admin is not aware of the operation, activate your Active Directory incident response plan. +- If the user does not need the administrator privileges, remove the account from the privileged group. + + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """