Active Directory Group Modification by SYSTEM

Last updated 21 days ago on 2025-04-23

Created a year ago on 2024-06-26

About

Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: PersistenceUse Case: Active Directory MonitoringData Source: Active DirectoryData Source: Windows Security Event LogsLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-system.security*logs-windows.forwarded*winlogbeat-*

Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query

iam where host.os.type == "windows" and event.code == "4728" and
winlog.event_data.SubjectUserSid : "S-1-5-18" and

/* DOMAIN_USERS and local groups */
not group.id : "S-1-5-21-*-513"

Install detection rules in Elastic Security

Detect Active Directory Group Modification by SYSTEM in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).