User Added to Privileged Group in Active Directory

Attackers often target Active Directory (AD) to gain control over a network. Adding a user account to a highly privileged group, such as Domain Admins or Enterprise Admins, is a common tactic for establishing persistence and escalating privileges. By compromising an account with the ability to manage group memberships or exploiting vulnerabilities, an attacker can add their own rogue account to a privileged group, granting them extensive control over the AD domain. This activity might go unnoticed amidst legitimate administrative actions, making it a stealthy method of maintaining unauthorized access. This is a common technique employed after initial compromise to ensure long-term access to critical systems and data. Detecting such additions requires careful monitoring of AD security logs for specific events related to group membership changes.

Attack Chain

1. Initial compromise of a low-privileged user account through phishing or credential theft.
2. Lateral movement to a system with access to Active Directory management tools.
3. Privilege escalation to an account with permissions to modify group memberships (e.g., leveraging exploits or credential dumping).
4. Use of AD management tools (e.g., Active Directory Users and Computers, PowerShell with AD module) to add the attacker-controlled user account to a privileged group, such as Domain Admins (RID 512).
5. The attacker logs in with the newly privileged account.
6. The attacker uses their elevated privileges to access sensitive data, install backdoors, or perform other malicious activities.
7. The attacker may attempt to remove the initially compromised account to remove traces of their activities.

Impact

Successful addition of an attacker-controlled user to a privileged AD group grants them near-total control over the domain. This can lead to widespread data breaches, ransomware deployment across the entire network, compromise of sensitive systems, and long-term disruption of business operations. The impact can extend to all domain-joined systems and resources, potentially affecting thousands of users and devices. Remediation often requires a complete rebuild of the Active Directory environment, resulting in significant downtime and financial losses.

Recommendation

• Enable “Audit Security Group Management” in Active Directory to generate the necessary security events for detecting group membership changes.
• Deploy the Sigma rule “User Added to Privileged Group in Active Directory” to your SIEM to detect suspicious additions to privileged groups, tuning the rule for known administrative accounts.
• Monitor for unexpected use of AD management tools, such as Active Directory Users and Computers or PowerShell with the AD module, especially from unusual source hosts.
• Investigate any alerts generated by the Sigma rule by verifying the legitimacy of the user adding members to the group and validating the need for the new member to have those privileges.
• Regularly review the membership of privileged groups and remove any unauthorized or unnecessary accounts.