Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high-privilege groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high-privilege users performing Add member to priveleged role, or where one or more features of the activity deviate from the user, his peers, or the tenant profile.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | UEBA Essentials |
| ID | 5aa5083c-1de6-42bb-a128-2ec2aba1de39 |
| Tactics | Persistence |
| Techniques | T1098 |
| Required Connectors | BehaviorAnalytics, AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AuditLogs |
OperationName == "Add member to role" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊