QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

One of the most common ways that malicious actors extend their reach within compromised environments is by targeting Active Directory. Account takeovers might involve password guessing and cracking attacks that surreptitiously access active user accounts. Alternatively, attackers may take over abandoned or inactive user accounts. Still another method is for attackers to gain administrative privileges on a domain and create new accounts for their use.

Regardless of the method of account takeover, attackers will need to obtain highly privileged administrator or, ideally, domain administrator level permissions in order to accomplish their objectives. To do that, they will seek to move a lower-privileged account they control into a more privileged user group in order to move laterally within the environment.

For defenders, monitoring sensitive user groups for changes is an effective way to detect suspicious activity or malicious activity and disrupt efforts by threat actors to achieve persistent access to your environment. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot this kind of malicious activity, which often is an early indication that an attack is taking place.

Key Points:

  • Monitoring for members added to security-enabled Active Directory groups is critical to spotting attempts at privilege escalation on compromised hosts and networks.
  • Windows Event ID 4732 (member was added to a security-enabled local group) and Windows Event ID 4728 (member was added to a security-enabled global group) are associated with this activity and should be monitored.
  • QOMPLX IA allows users to monitor sensitive local- and global user groups
  • Security-enabled groups vary but standard groups exist across Active Directory environments. In addition, custom groups can be monitored for these events.
  • Monitoring for group additions requires the “Audit Directory Service Changes” audit policy to be enabled in Active Directory.

How Sensitive Group Monitoring Works

Additions to sensitive groups are common, especially in large Active Directory environments with thousands, tens of thousands or even hundreds of thousands of users. But these events should be carefully monitored for abuse, as malicious actors will use surreptitious group memberships as a way to quickly elevate the permissions of low-level accounts that they control.

Windows Event Message 4732

The addition of users to any high-privilege group, such as Domain Admins, should have a clear trail of approvals. Conversely, unapproved or unexpected changes to membership of sensitive local- or global user groups could indicate an effort by malicious actors to escalate account privileges and establish persistence within the network.

QOMPLX Detection

QOMPLX’s Identity Assurance (IA) product detects changes to security enabled groups as they happen. IA detects Windows records changes to security enabled groups by monitoring for two different event types: Windows Event ID 4732 (member was added to a security-enabled local group) and Windows Event ID 4728 (member was added to a security-enabled global group).  

Monitoring is applied to a list of sensitive groups by default. They include groups with the following keywords in the group name:

  • Admin
  • Power Users
  • Operators
  • Replicators
  • Domain Controllers
  • Group Policy Creator Owners
  • Microsoft Exchange Servers

Customers can also modify IA’s default template to account for custom local- or global user group names.

QOMPLX helps its customers with threats like surreptitious addition of users to security-enabled user groups. If you want to learn more about how QOMPLX can help your company spot signs that may signal a compromise, contact our sales team now.

Additional Reading

Here are the previous entries in our QOMPLX Knowledge series; look for more in our QOMPLX Knowledge series in the days and weeks ahead:

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Learn More:

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.