I'm fairly new at this, but I've been trying to create a correlation rule that alerts when a user is added to the local administrators group on Windows machines.
This works, my rule looks for 'A member was added to a security-enabled local group' (43-263047320), among a few others.
Unfortunately, Microsoft sends only the SIDs, and relies on the viewing client to determine who added who to what group. ESM will resolve the SID of the user doing the adding, and the group being added to, but not the user that got added! This just comes in as a custom type called 'Security_ID' and gives me a SID. See the attached screenshot.
I've been experimenting with Data Enrichment through either ldap or SQL. Using LDAP trying to query 'ObjectSID' produces an error. I've been able to successfully query the Object SID (and resolve SAMAccountName) in my IAM SQL database, but in Destination I am unable to select Security_ID (or any custom type) as a lookup field, no matter which data source i select! It is available in the Custom Types menu, but it's not editable.
How are others doing this?
Really? the event should contain both source user (actioned by) and destination user (added user). Correlation rule should just be Signature ID, and object = the security group name which you are interested in.
Hi all, thanks for the replies.
To clarify, the packet captured by Signature 43-263047320 (A member was added to a security-enabled local group) only contains the following data:
192.168.1.100||Security||91729680||Microsoft-Windows-Security-Auditing||4732||61||1483539975||4||SERVER1.DOMAIN.COM||||Security Group Management||10||-||S-1-5-20||IIS_IUSRS||Builtin||S-1-5-32-568||S-1-5-21-4195886749-1299131234-950276898-294751||KevinM||DOMAIN||0xafe95984||-||A member was added to a security-enabled local group.
Security ID: S-1-5-21-4195886749-1299131234-950276898-294751
Account Name: KevinM
Account Domain: DOMAIN
Logon ID: 0xafe95984
Security ID: S-1-5-20
Account Name: -
Security ID: S-1-5-32-568
Group Name: IIS_IUSRS
Group Domain: Builtin
As you can see, the Account Name is blank, and that's the member that KevinM added to the IIS_Users group. If there's a setting to include this data that would be great but I am unaware of it. (I obviously changed the sensitive data).
As far as following that article for data enrichment, I'm having data type issues working with the SID to do that. It doesn't seem to be possible.
Good find xded! According to that article:
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
That's what's happening with me. When one of my sneaky server admins decides to take the easy way out and add a service account to Administrators, I want to know who got added! It looks like the information doesn't exist, no one else has this issue?
Did anyone ever come up with a way to handle this issue? I'm trying to do the same thing (indeed, I want the alert for a user being added to any group, not just Domain Admins.)