Commandline Group Addition
Query
// Source Sensitive Groups: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/alert-when-a-group-is-added-to-a-sensitive-active-directory/ba-p/3436868
let SensitiveGroupName = pack_array( // Declare Sensitive Group names. Add any groups that you manually tagged as sensitive
'Account Operators',
'Administrators',
'Domain Admins',
'Backup Operators',
'Domain Controllers',
'Enterprise Admins',
'Enterprise Read-only Domain Controllers',
'Group Policy Creator Owners',
'Incoming Forest Trust Builders',
'Microsoft Exchange Servers',
'Network Configuration Operators',
'Print Operators',
'Read-only Domain Controllers',
'Replicator',
'Schema Admins',
'Server Operators'
);
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "group")
| extend GroupIsSentitive = iff(ProcessCommandLine has_any (SensitiveGroupName), 1, 0)
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, GroupIsSentitiveAbout this query
Explanation
This query is designed to detect when a user is added to a group using command-line tools on a system. This action is often used by attackers to gain extra permissions or control over a system or network. The query specifically looks for instances where the command-line tools net.exe or net1.exe are used with the keywords "add" and "group," which indicates an attempt to add a user to a group.
The query also checks if the group being modified is considered sensitive. Sensitive groups include high-privilege groups like 'Administrators', 'Domain Admins', 'Enterprise Admins', and others that have significant control over the system or network. If the command affects any of these sensitive groups, it flags it as such.
The query outputs the timestamp, device name, the command line used, the initiating command line, and whether the group is sensitive. This information helps security teams quickly identify and respond to potential unauthorized changes to group memberships, which could indicate a security breach.
