Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alerts

The following rules are used to identify suspicious activity related to security-enabled group. Any one or more of these will trigger suspicious Activity Related to Security-Enabled Group Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Security-Enabled Universal Group was Created

A Security-Enabled Universal Group has been created. This could be an indication of malicious activity.

Rule ID

windows_itdr_4

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4754}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Security-Enabled Global Group was Created

A Security-Enabled Global Group has been created. This could be an indication of malicious activity.

Rule ID

windows_itdr_5

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4727}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Member Added to Security-Enabled Universal Group

A member was added to a Security-Enabled Universal Group. This could be an indication of malicious activity.

Rule ID

windows_itdr_6

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4756}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Security-Enabled Local Group was Created

A Security-Enabled Local Group has been created. This could be an indication of malicious activity.

Rule ID

windows_itdr_8

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4731}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Security-Enabled Local Group was Deleted

A Security-Enabled Local Group has been deleted. This could be an indication of malicious activity.

Rule ID

windows_security_31

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4734}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Security-Enabled Universal Group was Deleted

A Security-Enabled Universal Group has been deleted. This could be an indication of malicious activity.

Rule ID

windows_security_87

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4758}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A

Security-Enabled Global Group was Deleted

A Security-Enabled Global Group has been deleted. This could be an indication of malicious activity.

Rule ID

windows_security_127

Query

{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4730}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'}

Log Source

Stellar Cyber Windows Server Sensor configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/05/01 medium N/A