Query Details

AD Group Additions

MDI AD Group Additions

Query

let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityDirectoryEvents
| where Timestamp > (now() - SearchWindow)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (Groups)

About this query

AD Group Additions

Query Information

Description

This query can be used to list all Active Directory group additions. The query uses 2 variables as input, the Group names on which you want to search and the timeframe used for the search. This could help in your investigation by knowing if accounts have been added to high priviliged groups in order for them to have more privileges.

References

Defender XDR

Sentinel

let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityDirectoryEvents
| where Timestamp > (now() - SearchWindow)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (Groups)

Explanation

This query is designed to help you monitor changes in Active Directory group memberships, specifically focusing on additions to certain high-privilege groups. Here's a simple breakdown:

  1. Purpose: The query identifies when users are added to specific Active Directory groups, which could indicate an increase in their privileges.

  2. Inputs:

    • Groups: A list of sensitive or high-privilege groups you want to monitor (e.g., 'Domain Admins').
    • SearchWindow: The time frame for the search (e.g., the last 48 hours).
  3. Process:

    • The query checks for events where group memberships have changed within the specified time frame.
    • It extracts and lists the group to which a user was added and who initiated the addition.
  4. Output:

    • The query results show which users were added to the specified groups and who added them, helping you identify potential unauthorized privilege escalations.

This query is useful for security investigations, allowing you to track and respond to changes in group memberships that could affect your organization's security posture.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

IdentityDirectoryEvents

Keywords

ActiveDirectoryGroupMembershipIdentityEventsAccountsPrivileges

Operators

letdynamicwhere>-==extendparse_jsonproject-reorderhas_any

Actions

GitHub