File tree 1 file changed +34
-10
lines changed
1 file changed +34
-10
lines changed Original file line number Diff line number Diff line change 22creation_date = " 2021/01/09"
33integration = [" system" " windows"
44maturity = " production"
5- updated_date = " 2024/05/21 "
5+ updated_date = " 2024/06/07 "
66
77[rule ]
88author = [" Elastic" " Skoetting"
@@ -72,15 +72,39 @@ timestamp_override = "event.ingested"
7272type = " eql"
7373
7474query = '''
75- iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and
76- group.name : ("Admin*",
77- "Local Administrators",
78- "Domain Admins",
79- "Enterprise Admins",
80- "Backup Admins",
81- "Schema Admins",
82- "DnsAdmins",
83- "Exchange Organization Administrators")
75+ iam where winlog.api == "wineventlog" and event.action == "added-member-to-group" and
76+ (
77+ (
78+ group.name : (
79+ "Admin*",
80+ "Local Administrators",
81+ "Domain Admins",
82+ "Enterprise Admins",
83+ "Backup Admins",
84+ "Schema Admins",
85+ "DnsAdmins",
86+ "Exchange Organization Administrators",
87+ "Print Operators",
88+ "Server Operators",
89+ "Account Operators"
90+ )
91+ ) or
92+ (
93+ group.id : (
94+ "S-1-5-32-544",
95+ "S-1-5-21-*-544",
96+ "S-1-5-21-*-512",
97+ "S-1-5-21-*-519",
98+ "S-1-5-21-*-551",
99+ "S-1-5-21-*-518",
100+ "S-1-5-21-*-1101",
101+ "S-1-5-21-*-1102",
102+ "S-1-5-21-*-550",
103+ "S-1-5-21-*-549",
104+ "S-1-5-21-*-548"
105+ )
106+ )
107+ )
84108'''
85109
86110
You can’t perform that action at this time.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments