Query Details

Multiple Sensitive Group Additions From Commandline

Multiple Sentitive Group Additions

Query

let BinTimeFrame = 1h;
let AlertThreshold = 3;
// Source Sensitive Groups: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/alert-when-a-group-is-added-to-a-sensitive-active-directory/ba-p/3436868
let SensitiveGroupName = pack_array(  // Declare Sensitive Group names. Add any groups that you manually tagged as sensitive
    'Account Operators',
    'Administrators',
    'Domain Admins', 
    'Backup Operators',
    'Domain Controllers',
    'Enterprise Admins',
    'Enterprise Read-only Domain Controllers',
    'Group Policy Creator Owners',
    'Incoming Forest Trust Builders',
    'Microsoft Exchange Servers',
    'Network Configuration Operators',
    'Print Operators',
    'Read-only Domain Controllers',
    'Replicator',
    'Schema Admins',
    'Server Operators'
);
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "group") 
| extend GroupIsSentitive = iff(ProcessCommandLine has_any (SensitiveGroupName), 1, 0)
| summarize TotalCommands = dcount(ProcessCommandLine), ExecutedCommands = make_set(ProcessCommandLine), arg_max(Timestamp, *) by DeviceName, bin(Timestamp, BinTimeFrame)
| where TotalCommands >= AlertThreshold

About this query

Explanation

This query is designed to detect suspicious activity where multiple sensitive group additions are made from the command line within a specified timeframe. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify potential security threats by monitoring for multiple additions to sensitive groups using command-line tools. This could indicate an attempt by an unauthorized user to gain elevated permissions.

  2. Key Variables:

    • BinTimeFrame: This variable sets the timeframe for monitoring, defaulting to 1 hour. You can adjust this to change the period over which the query checks for group additions.
    • AlertThreshold: This sets the minimum number of command-line additions required to trigger an alert. By default, it is set to 3, meaning if there are three or more additions within the timeframe, an alert is generated.
  3. Sensitive Groups: The query focuses on specific Active Directory groups considered sensitive, such as 'Administrators', 'Domain Admins', and 'Enterprise Admins', among others. These are groups that, if accessed by unauthorized users, could lead to significant security risks.

  4. Detection Logic:

    • The query looks for processes where the command-line tools net.exe or net1.exe are used with the keywords "add" and "group".
    • It checks if any of these commands involve the sensitive groups listed.
    • It counts the number of such commands executed within the specified timeframe and checks if this count meets or exceeds the alert threshold.
  5. Output: If the number of detected commands meets the threshold, the query outputs details such as the device name, the total number of commands, and the specific commands executed, helping security teams investigate further.

In summary, this query helps detect potential unauthorized attempts to add users to sensitive groups via command-line operations, which could be a sign of malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsSensitiveGroupNameCommandLineFileTimeGeneratedTimestamp

Operators

letpack_arrayinhas_alliffhas_anysummarizedcountmake_setarg_maxbybinwhereextend

MITRE Techniques

Actions

GitHub