Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Hours |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user was added to an Active Directory group and removed within a short period of time, which may be a sign of compromise.
Attacker's Goals
Elevate permissions and establish persistence.
Investigative actions
- Verify the activity with the performing user.
- Confirm that the group addition was not accidental.
- Check for any suspicious actions performed by the added user.
- Check for a possible compromise of the initiating user.
Variations
Rare privileged group addition and removalUser added to a privileged group and removed