sigmamediumHunting

Remove Account From Domain Admin Group

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

MITRE ATT&CK

T1531

impact

Detection Query

selection:
  ScriptBlockText|contains|all:
    - Remove-ADGroupMember
    - "-Identity "
    - "-Members "
condition: selection

Author

frack113

Created

2021-12-26

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group

Tags

attack.impactattack.t1531

Raw Content

title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Remove-ADGroupMember'
            - '-Identity '
            - '-Members '
    condition: selection
falsepositives:
    - Unknown
level: medium