Detection: Windows Privileged Group Modification

Updated Date: 2024-08-15 ID: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 Author: Brandon Sternfield, Optiv + ClearShark Type: TTP Product: Splunk Enterprise Security

Description

This analytic detects modifications to privileged groups in Active Directory, including creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups. It specifically monitors for changes to high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", and "ESX Admins", among others. This detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems.

Search

1`wineventlog_security` EventCode IN (4727,4731,4744,4749,4754,4759,4783,4790) TargetUserName IN ("Account Operators", "Administrators", "Admins DNS", "Backup Operators", "DnsAdmins", "Domain Admins", "Enterprise Admins", "Enterprise Key Admins", "ESX Admins", "ESXi Admins", "Group Policy Creator Owners", "Hyper-V Administrators", "Key Admins", "Print Operators", "Remote Desktop Users", "Remote Management Users", "Replicators", "Schema Admins", "Server Operators") 
2| eval object_category=case( EventCode="4731", "Local Group (Security)", EventCode="4744", "Local Group (Distribution)", EventCode="4727", "Global Group (Security)", EventCode="4749", "Global Group (Distribution)", EventCode="4754", "Universal Group (Security)", EventCode="4759", "Universal Group (Distribution)", EventCode="4783", "Basic Application Group", EventCode="4790", "LDAP Query Group") 
3| rename Computer as dest, result AS change_type, TargetUserName AS object, TargetSid AS object_path 
4| stats count min(_time) as firstTime max(_time) as lastTime by EventCode src_user object_category object object_path dest change_type status 
5| `windows_privileged_group_modification_filter`

Data Source

Name	Platform	Sourcetype	Source	Supported App
N/A	N/A	N/A	N/A	N/A

Macros Used

Name	Value
wineventlog_security	`eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security`
windows_privileged_group_modification_filter	`search *`

windows_privileged_group_modification_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1136.001	Local Account	Persistence
T1136.002	Domain Account	Persistence

KillChainPhase.INSTALLATION

NistCategory.DE_CM

Cis18Value.CIS_10

APT3

APT39

APT41

APT5

Dragonfly

FIN13

Fox Kitten

Kimsuky

Leafminer

Magic Hound

TeamTNT

Wizard Spider

GALLIUM

HAFNIUM

Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events.

Known False Positives

Legitimate administrators might create, delete, or modify an a privileged group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities.

Associated Analytic Story

VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A privileged group modification was detected. Group "$object$" ($object_category$) was $change_type$ on $dest$ by user $src_user$.	80	100	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Security`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Security`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2