From fff49e7f0935aa5ec3a1e6e4e283aabd626bc906 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Fri, 7 Jun 2024 13:43:30 -0300
Subject: [PATCH] [Rule Tuning] User Added to Privileged Group (#3763)

* [New Rule] User Added to Privileged Group

* add more groups

* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_user_account_added_to_privileged_group_ad.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 087e8a6e85d1a926ae4f41a2abcef1da1acc018f)
---
 ..._account_added_to_privileged_group_ad.toml | 44 ++++++++++++++-----
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
index 5d34c49c0..0a3afc889 100644
--- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
+++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/01/09"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/07"
 
 [rule]
 author = ["Elastic", "Skoetting"]
@@ -72,15 +72,39 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
-  group.name : ("Admin*",
-                "Local Administrators",
-                "Domain Admins",
-                "Enterprise Admins",
-                "Backup Admins",
-                "Schema Admins",
-                "DnsAdmins",
-                "Exchange Organization Administrators")
+iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and
+(
+    (
+        group.name : (
+            "Admin*",
+            "Local Administrators",
+            "Domain Admins",
+            "Enterprise Admins",
+            "Backup Admins",
+            "Schema Admins",
+            "DnsAdmins",
+            "Exchange Organization Administrators",
+            "Print Operators",
+            "Server Operators",
+            "Account Operators"
+        )
+    ) or
+    (
+        group.id : (
+            "S-1-5-32-544",
+            "S-1-5-21-*-544",
+            "S-1-5-21-*-512",
+            "S-1-5-21-*-519",
+            "S-1-5-21-*-551",
+            "S-1-5-21-*-518",
+            "S-1-5-21-*-1101",
+            "S-1-5-21-*-1102",
+            "S-1-5-21-*-550",
+            "S-1-5-21-*-549",
+            "S-1-5-21-*-548"
+        )
+    )
+)
 '''