Tanaka Zakku
31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
author: Eric Conrad, Zach Mathis
|
|
creation_date: 2020/11/08
|
|
updated_date: 2021/12/22
|
|
|
|
title: User added to global security group
|
|
title_jp: ユーザがグローバルセキュリティグループに追加された
|
|
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
|
|
details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%'
|
|
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
|
|
description_jp: ユーザがグローバルのセキュリティグループに追加された。
|
|
|
|
id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
|
|
level: medium
|
|
status: stable
|
|
detection:
|
|
selection:
|
|
Channel: Security
|
|
EventID: 4728
|
|
filter:
|
|
SubjectUserName|endswith: $
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- system administrator
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1098
|
|
references:
|
|
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
|
|
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
|
|
logsource: default
|
|
ruletype: Hayabusa |