title: User Added to Local Administrators
author: Florian Roth
date: 2017/03/14
description: This rule triggers on user accounts that are added to the local Administrators
  group, which could be legitimate activity or a sign of privilege escalation activity
detection:
  SELECTION_1:
    EventID: 4732
  SELECTION_2:
    TargetUserName: Administr*
  SELECTION_3:
    TargetSid: S-1-5-32-544
  SELECTION_4:
    SubjectUserName: '*$'
  condition: ((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
falsepositives:
- Legitimate administrative activity
id: c265cf08-3f99-46c1-8d59-328247057d57
level: medium
logsource:
  product: windows
  service: security
modified: 2021/07/07
status: stable
tags:
- attack.privilege_escalation
- attack.t1078
- attack.persistence
- attack.t1098
ruletype: SIGMA