User Added To Critical AD Groups
Response Plan
Source user name
Affected username
Time of the activity (when user got added to the group)
Group name
Affected username
Time of the activity (when user got added to the group)
Group name
Note: In order to perform the above step, compare the source user reported in the logs with the users present in the authorised user activity sheet.
if you have a list of authorised users and the source user is not one of them, it is safe to assume that this activity was not authorised or expected hence please escalate the issue to the necessary team. (Considering as suspisious) if you do not have the list jump to step 4.
**** Add the step for checking if there is existing ITSM ticket to perform the addition of the users (please check the date of the ticket and also content of the ticket to be 100% sure that tickets is related to the activity) if found then this alert can be closed as Authorized Activity, if not go to next step
NOTE :- This should be performed manually by either searching or tickets related to the Group or destination users
**** Add the step for checking if there is existing ITSM ticket to perform the addition of the users (please check the date of the ticket and also content of the ticket to be 100% sure that tickets is related to the activity) if found then this alert can be closed as Authorized Activity, if not go to next step
NOTE :- This should be performed manually by either searching or tickets related to the Group or destination users
-
Run a query on SIEM to identify if the any user has added other affected user in the same or the other critical groups in past 48 hours. Note:- above step applies even when the source user is the authorised or not authorised.
SPL:- (Splunk)'' index=your_index sourcetype=your_sourcetype EventCode=4728 OR EventCode=4732 OR EventCode=4756 affected_user!=affected users from the alert log group="identified group name from the alerts" | eval action=case(EventCode==4728, "Added to Global Security Group", EventCode==4732, "Added to Local Security Group", EventCode==4756, "Added to Universal Security Group") | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M:%S") | where _time>=relative_time(now(), "-48h"s) | table _time, source_user, affected_user, group_name, action | rename source_user as "Source User", affected_user as "Affected User", group_name as "Group Name", action as "Action", _time as "Timestamp" | stats values("Timestamp") as "Timestamps", values("Action") as "Actions", dc("Group Name") as "Distinct Groups", values("Group Name") as "Groups" by "Source User", "Affected User" | search "Distinct Groups">1 -
KQL(Sentinel):- your_index | where sourcetype == "your_sourcetype" and (EventCode == 4728 or EventCode == 4732 or EventCode == 4756) and affected_user != "affected users from the alert log" and group="identified group name from the alerts" | extend action = case( EventCode == 4728, "Added to Global Security Group", EventCode == 4732, "Added to Local Security Group", EventCode == 4756, "Added to Universal Security Group", "" ) | extend timestamp = format_datetime(_time, "yyyy-MM-dd HH:mm:ss") | where _time >= ago(48h) | project Timestamp = timestamp, "Source User" = source_user, "Affected User" = affected_user, "Group Name" = group_name, Action = action | summarize Timestamps = make_list(Timestamp), Actions = make_list(Action), "Distinct Groups" = dcount("Group Name"), Groups = make_list("Group Name") by "Source User", "Affected User" | where "Distinct Groups" > 1
5.1 :- if you don't find any suspicious activity, then as a precausunary messure it is safe to reset the all affected users and Source users password (follow your company policy to reset affected user password) due to 4.2 being true.
5.2 :- if you find suspicious activity then follow the below recommendations:
• Isolate User Account(Source & Destination)/machine: Temporarily disable or restrict the user account if the activity is deemed suspicious.
• Revert Changes: If unauthorized, remove the user from the critical AD group.
• Password Reset: Enforce a password reset for the user account.
• Kill there active session (VPN & non-VPN). powershell command (a.Logoff-UserSession -Username "suspicious_user")
Use Case Detection Logic
-
Run a query on SIEM to identify if the any user has added other affected user in the same or the other critical groups in past 48 hours. Note:- above step applies even when the source user is the authorised or not authorised.
SPL:- (Splunk)'' index=your_index sourcetype=your_sourcetype EventCode=4728 OR EventCode=4732 OR EventCode=4756 affected_user!=affected users from the alert log group="identified group name from the alerts" | eval action=case(EventCode==4728, "Added to Global Security Group", EventCode==4732, "Added to Local Security Group", EventCode==4756, "Added to Universal Security Group") | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M:%S") | where _time>=relative_time(now(), "-48h"s) | table _time, source_user, affected_user, group_name, action | rename source_user as "Source User", affected_user as "Affected User", group_name as "Group Name", action as "Action", _time as "Timestamp" | stats values("Timestamp") as "Timestamps", values("Action") as "Actions", dc("Group Name") as "Distinct Groups", values("Group Name") as "Groups" by "Source User", "Affected User" | search "Distinct Groups">1 -
KQL(Sentinel):- your_index | where sourcetype == "your_sourcetype" and (EventCode == 4728 or EventCode == 4732 or EventCode == 4756) and affected_user != "affected users from the alert log" and group="identified group name from the alerts" | extend action = case( EventCode == 4728, "Added to Global Security Group", EventCode == 4732, "Added to Local Security Group", EventCode == 4756, "Added to Universal Security Group", "" ) | extend timestamp = format_datetime(_time, "yyyy-MM-dd HH:mm:ss") | where _time >= ago(48h) | project Timestamp = timestamp, "Source User" = source_user, "Affected User" = affected_user, "Group Name" = group_name, Action = action | summarize Timestamps = make_list(Timestamp), Actions = make_list(Action), "Distinct Groups" = dcount("Group Name"), Groups = make_list("Group Name") by "Source User", "Affected User" | where "Distinct Groups" > 1
Mitre information
Log source
Playbook
Flowchart
Support portal
Hi hello