Merge pull request Azure#11541 from Azure/v-sabiraj-updating-LocalAdm…

…inGroupChanges Update LocalAdminGroupChanges.yaml
VirusTotal · Dec 16, 2024 · 83d468f · 83d468f
2 parents cb0afbb + e9f8455
commit 83d468f
Show file tree

Hide file tree

Showing 4 changed files with 910 additions and 904 deletions.
diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/LocalAdminGroupChanges.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/LocalAdminGroupChanges.yaml
@@ -19,6 +19,10 @@ tactics:
 relevantTechniques:
   - T1098
 query: |
+  let machineAccountSIDs = dynamic([
+    "S-1-5-18",
+    "S-1-5-20",
+    "S-1-5-19"]);
   let ADAZUsers =  IdentityInfo 
   | extend DirectoryDomain = AccountDomain 
   | extend DirectoryAccount = AccountName 
@@ -33,17 +37,19 @@ query: |
   | distinct NewUserSID, lUserAdded,laccountdomain;
   // Check for any local group changes and enrich the data with the account name obtained from the previous query
   DeviceEvents 
-  | where ActionType == 'UserAccountAddedToLocalGroup' 
+  | where ActionType == 'UserAccountAddedToLocalGroup'
+  // Exclude machine and wellknown SIDs 
+  | where (AccountSid !in (machineAccountSIDs)) and (AccountSid matches regex @"S-\d-\d+-\d+-(\d+-){1,5}\d+")
   | extend LocalGroupSID = tostring(parse_json(AdditionalFields).GroupSid)
-  | extend LocalGroup = AccountName
+  | extend LocalGroup = tostring(parse_json(AdditionalFields).GroupName)
   | extend AddedAccountSID = AccountSid
   | extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
   // limit to local administrators group
-  //  | where LocalGroupSID contains "S-1-5-32-544"
-  | join kind= leftouter    (NewUsers)
+  // | where LocalGroupSID contains "S-1-5-32-544"
+  | join kind=leftouter    (NewUsers)
   on $left.AddedAccountSID == $right.NewUserSID
   | project TimeGenerated, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, lUserAdded , Actor, ActionType , laccountdomain 
-  | join kind=leftouter  (ADAZUsers)
+  | join kind=innerunique  (ADAZUsers)
   on $left.AddedAccountSID == $right.OnPremSid
   | extend UserAdded = iff(isnotempty(lUserAdded),strcat(laccountdomain,"\\", lUserAdded), strcat(DirectoryDomain,"\\", DirectoryAccount))
   | extend AccountName = iff(isnotempty(lUserAdded), lUserAdded, DirectoryAccount)
@@ -73,5 +79,5 @@ entityMappings:
         columnName: AccountName
       - identifier: NTDomain
         columnName: laccountdomain
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.11.zip b/Solutions/Microsoft Defender XDR/Package/3.0.11.zip