New user created and added to the built-in administrators group

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Identifies when a user account was created and then added to the builtin Administrators group in the same day. This should be monitored closely and all additions reviewed.

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	aa1eff90-29d4-49dc-a3ea-b65199f516db
Severity	Low
Kind	Scheduled
Tactics	Persistence, PrivilegeEscalation
Techniques	T1098, T1078
Required Connectors	SecurityEvents, WindowsSecurityEvents, WindowsForwardedEvents
Source	View on GitHub

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules