security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Attempt to Add an Account to the Admin Group (#803)

Browse Source 
* [New Rule] Attempt to Add an Account to the Admin Group

* adjusted query for perf

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-01-29 19:03:17 +01:00
committed by GitHub
parent cd3f72cf15
commit ad514eaeab
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/privilege_escalation_local_user_added_to_admin.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2020/01/05"
maturity = "production"
updated_date = "2020/01/05"
[rule]
author = ["Elastic"]
description = """
Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege
escalation activity.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Potential Admin Group Account Addition"
references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"]
risk_score = 47
rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"]
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.003"
name = "Local Accounts"
reference = "https://attack.mitre.org/techniques/T1078/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"