KARIM ASHRAF SPACE.
  • Who Am I ?
  • WRITEUPS
    • What about Practice in Cyber Security?
    • Dark Side of VSCode
    • What about Cy-nix Machine?
    • Cyberdefenders Labs
      • Web Investigation Blue Team Lab
      • Red Stealer Blue Team Lab
      • WebStrike Blue Team Lab
      • BlueSky Ransomware Blue Team Lab
      • PsExec Hunt Blue Team Lab
      • OpenWire Blue Team Lab
      • 3CX Supply Chain Blue Team Lab
      • PoisonedCredentials Lab
      • Reveal Lab
    • Lets Defend
      • Incident Responder Path
        • Cybersecurity Incident Handling Guide
          • Introduction to Incident Handling
          • Incident Handling Steps
          • Preparation
          • Detection and Analysis
          • Containment, Eradication, and Recovery
          • Post-Incident Activity
        • Incident Response on Windows
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Free Tools That Can Be Used
          • Live Memory Analysis
          • Task Scheduler
          • Services
          • Registry Run Keys / Startup Folder
          • Files
          • Checklist
        • Incident Response on Linux
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Users and Groups
          • Processes
          • Files and File System
          • Mounts
          • Network
          • Service
          • Cron Job
          • SSH Authorized Keys
          • Bash_rc & Bash_profile
          • Useful Log Files
        • Hacked Web Server Analysis
          • Introduction to Hacked Web Server Analysis
          • Log Analysis on Web Servers
          • Attacks on Web Servers
          • Attacks Against Web Applications
          • Vulnerabilities on Servers
          • Vulnerabilities in Programming Language
          • Discovering the Web Shell
          • Hacked Web Server Analysis Example
        • Log Analysis with Sysmon
          • Introduction and Set Up of Sysmon
          • Detecting Mimikatz with Sysmon
          • Detecting Pass The Hash with Sysmon
          • Detecting Privilege Escalation with Sysmon
        • Forensic Acquisition and Triage
          • Introduction to Forensics Acquisition and Triage
          • Acquiring Memory Image From Windows and Linux
          • Custom Image Using FTK and Mounting Image for Analysis
          • KAPE Targets for Acquisition
          • KAPE Modules for Triage and Analysis
          • Triage Using FireEye Redline
          • Acquisition and Triage of Disks Using Autopsy
        • Memory Forensics
          • What is Memory Forensics
          • Memory Analysis Procedures
        • Registry Forensics
          • Introduction to Windows Registry Forensics
          • Acquiring Registry Hives
          • Regedit and Registry Explorer
          • System, Users and Network Information
          • Shellbags
          • Shimcache
          • Amcache
          • Recent Files
          • Dialogue Boxes MRU
        • Event Log Analysis
          • Introduction to Event Logs
          • Event Log Analysis
          • Authentication Event Logs
          • Windows Scheduled Tasks Event Logs
          • Windows Services Event Logs
          • Account Management Events
          • Event Log Manipulation
          • Windows Firewall Event Logs
          • Windows Defender Event Logs
          • Powershell Command Execution Event logs
        • Browser Forensics
          • Introduction to Browser Forensics
          • Acquisition
          • Browser Artifacts
          • Tool: BrowsingHistoryView
          • Manual Browser Analysis
          • Hindsight Framework
        • GTFOBins
          • Introduction to GTFOBins
          • Shell
          • Command
          • Reverse Shell
          • Bind Shell
          • File Upload
          • File Download
          • Sudo
        • Hunting AD Attacks
          • Introduction to Active Directory
          • Hunting AS-REP Roasting Attack
          • Hunting for Kerberoasting Attacks
          • Hunting for LDAP Enumerations (Bloodhound_Sharphound)
          • Hunting for NTDS Database Dumping
          • Hunting for Golden Ticket Attacks
          • Hunting for NTLM Relay Attacks
        • Writing a Report on Security Incident
          • Introduction to Technical Writing
          • Reporting Standards
          • Reporting Style
          • Report Formatting
          • Report Templates
        • How to Prepare a Cyber Crisis Management Pla
          • Introduction to Crisis Management
          • General Preparation
          • Tools
          • Backups
          • Alerts and End of Crisis
        • Advanced Event Log Analysis
          • Process Creation
          • DNS Activity
          • File/Folder Monitoring
          • BITS Client Event Log
          • Network Connections Event Log
          • MSI Event Logs
        • USB Forensics
          • Introduction to USB Forensics
          • USB Registry Key
          • USB Event Logs
          • Folder Access Analysis via Shellbags
          • File Access Analysis via Jumplists
          • Automated USB Parsers Tools
        • Windows Disk Forensics
          • SRUM Database
          • Jumplists
          • Recycle Bin Artifacts
          • RDP Cache
          • Thumbnail Cache
    • BTLO LABS
      • Bruteforce BTLO
    • The Complete Active Directory Security Handbook
      • Introduction
      • Active Directory
      • Attack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)
      • Attack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)
      • Attack Technique 3: Kerberoasting
      • Attack Technique 4: Golden Ticket Attack
      • Attack Technique 5: DCShadow Attack
      • Attack Technique 6: AS-REP Roasting
      • Attack Technique 7: LDAP Injection Attack
      • Attack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)
      • Conclusion & References
    • Windows Privilege Escalation
      • Tools
      • Windows Version and Configuration
      • User Enumeration
      • Network Enumeration
      • Antivirus Enumeration
      • Default Writeable Folders
      • EoP - Looting for passwords
      • EoP - Incorrect permissions in services
      • EoP - Windows Subsystem for Linux (WSL)
      • EoP - Unquoted Service Paths
      • EoP - $PATH Interception
      • EoP - Named Pipes
      • EoP - Kernel Exploitation
      • EoP - AlwaysInstallElevated
      • EoP - Insecure GUI apps
      • EoP - Evaluating Vulnerable Drivers
      • EoP - Printers
      • EoP - Runas
      • EoP - Abusing Shadow Copies
      • EoP - From local administrator to NT SYSTEM
      • EoP - Living Off The Land Binaries and Scripts
      • EoP - Impersonation Privileges
      • EoP - Privileged File Write
      • References
      • Practical Labs
    • Advanced Log Analysis
      • Key Windows Event IDs for Cybersecurity Monitoring
      • Analyzing a Series of Failed Login Attempts from Multiple IP Addresses
      • Steps to Investigate Suspicious Outbound Network Traffic
      • Identifying and Responding to Lateral Movement within a Network
      • Distinguishing Between Legitimate and Malicious PowerShell Executions
      • Detecting and Analyzing a Potential Data Exfiltration Incident Using Log Data
      • Steps to Analyze PowerShell Logging (Event ID 4104) for Malicious Activity
      • How to Identify an Internal Pivot Attack Using Log Data
      • Indicators in Logs Suggesting a Privilege Escalation Attack
      • How to Detect Command and Control (C2) Communication Using Log Analysis
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Detect the Use of Living-Off-the-Land Binaries (LOLBins) in Logs
      • How to Detect Malware Masquerading as a Legitimate Process Using Log Analysis
      • How to Detect and Analyze Lateral Movement Using Windows Event Logs
      • How to Detect Potential Ransomware Attacks in Their Early Stages Using Log Analysis
      • How to Detect and Analyze Privilege Escalation Using Windows Event Logs
      • How to Detect the Use of Mimikatz or Similar Tools in Log Data
      • How to Detect and Analyze DNS Tunneling Through Log Analysis
      • How to Detect a Pass-the-Hash (PtH) Attack Using Logs
      • How to Detect and Analyze an Attacker’s Use of a Remote Access Trojan (RAT) Using Log Data
      • How to Detect Lateral Movement Using Windows Event Logs
      • How to Detect and Investigate Data Exfiltration Using Logs
      • How to Identify and Analyze an Internal Phishing Campaign Using Email and System Logs
      • How to Detect and Analyze Ransomware Activity Using Logs
      • How to Detect Malicious PowerShell Activity Using Log Analysis
      • How to Detect and Respond to Brute-Force Attacks Using Log Data
      • How to Detect Privilege Escalation Attempts Using Windows Event Logs
      • How to Detect and Analyze Suspicious Domain Name Resolution Requests in DNS Logs
      • How to Detect and Respond to Unauthorized Access to Critical Files
      • How to Detect and Analyze Suspicious PowerShell Command Execution
      • How to Detect and Investigate Account Takeover (ATO) Attempts Using
      • How to Detect and Analyze the Use of Living Off the Land Binaries (LOLBins)
      • How to Detect and Investigate Lateral Movement
      • How to Detect and Investigate Data Exfiltration
      • How to Detect and Analyze Suspicious Activity Involving Service Accounts
      • How to Detect and Investigate Anomalous PowerShell Activity Related to Credential Dumping
      • How to Detect and Analyze the Execution of Unsigned or Malicious Executables
      • How to Detect and Investigate Abnormal Spikes in Network Traffic
    • Methods for Stealing Password in Browser
      • Important Tables and Columns
      • Important Queries
      • Profiles
      • Tools
        • HackBrowserData
        • Browser-password-stealer
        • BrowserPass
        • WebBrowserPassView
        • Infornito
        • Hindsight
        • BrowserFreak
        • BrowserStealer
    • Hack The Box Tracks
      • Soc Analyst Path 2024
        • 1. Incident Handling Process
          • Incident Handling Definition & Scope
          • Incident Handling's Value & Generic Notes
          • Cyber Kill Chain
          • Incident Handling Process Overview
          • Preparation Stage (Part 1)
          • Preparation Stage (Part 2)
          • DMARC
          • Endpoint Hardening (& EDR)
          • Network Protection
          • Privilege Identity Management / MFA / Passwords
          • Vulnerability Scanning
          • User Awareness Training
          • Active Directory Security Assessment
          • Purple Team Exercises
          • Detection & Analysis Stage (Part 1)
          • Initial Investigation
          • Incident Severity & Extent Questions
          • Incident Confidentiality & Communication
          • Detection & Analysis Stage (Part 2)
          • The Investigation
          • Initial Investigation Data
          • Creation & Usage Of IOCs
          • Identification Of New Leads & Impacted Systems
          • Data Collection & Analysis From The New Leads & Impacted Systems
          • Containment
          • Eradication
          • Recovery
          • Post-Incident Activity Stage
          • Reporting
        • 2. Security Monitoring & SIEM Fundamentals
          • What Is SIEM?
          • The Evolution Of SIEM And How It Works
          • SIEM Business Requirements & Use Cases Log Aggregation & Normalization
          • Data Flows Within A SIEM
          • What Are The Benefits Of Using A SIEM Solution
          • What Is the Elastic Stack?
          • The Elastic Stack As A SIEM Solution
          • How To Identify The Available Data
          • The Elastic Common Schema (ECS)
          • SOC Definition & Fundamentals
          • Evolution of Security Operations Centers (SOCs)
          • What Is MITRE ATT&CK?
          • What Is A SIEM Use Case?
          • How To Build SIEM Use Cases
          • SIEM Visualization Example 1: Failed Logon Attempts (All Users)
          • SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
          • SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
          • SIEM Visualization Example 4: Users Added or Removed from a Local Group
          • What Is Alert Triaging?
  • COURSES SUMMARY
    • TCM SEC
      • TCM linux Privilege Escalation
      • TCM OSINT
    • The SecOps Group
      • Certified AppSec Practitioner exam
      • CNSP Review
    • Cybrary
      • Cybrary Offensive Pentesting
  • TIPS&TRICKS
    • Windows Shorcuts Arrow Remover
    • Kali KEX
    • Intel TurboBoost
    • Pentest_Copilot
    • Ferdium
    • Youtube Adblock_Bybass
    • Burb-Bambdas
    • Burb Customizer
    • BetterFox
Powered by GitBook
On this page
  • Step 1: Accessing the Dashboard
  • Step 2: Configuring the Visualization
  • Step 3: Building the Table Visualization
  • Step 4: Final Visualization
  • Step 5: Review and Save
  • Key Takeaways
  • Example Use Case
  1. WRITEUPS
  2. Hack The Box Tracks
  3. Soc Analyst Path 2024
  4. 2. Security Monitoring & SIEM Fundamentals

SIEM Visualization Example 4: Users Added or Removed from a Local Group

PreviousSIEM Visualization Example 3: Successful RDP Logon Related To Service AccountsNextWhat Is Alert Triaging?

Last updated 2 months ago

In this example, we will create a SIEM visualization to monitor user additions or removals from the local "Administrators" group within a specific timeframe (March 5th, 2023, to the present). This type of monitoring is critical for detecting unauthorized changes to privileged groups, which could indicate malicious activity or misconfigurations.

Step 1: Accessing the Dashboard

  1. Spawn the Target System:

    • Navigate to the bottom of the section and click on "Click here to spawn the target system!".

  2. Access Kibana:

    • Open your browser and navigate to http://[Target IP]:5601.

    • Click on the side navigation toggle and select "Dashboard".

  3. Edit the Prebuilt Dashboard:

    • A prebuilt dashboard should be visible. Click on the "pencil"/edit icon to modify it.

  4. Create a New Visualization:

    • Click on "Create visualization" to begin building the new visualization.

Step 2: Configuring the Visualization

Key Elements to Configure

  1. Filter Data:

    • Use the filter option to narrow down the data to only include events related to user additions or removals from the local "Administrators" group.

    • Add the following filters:

      • event.code: (4732 OR 4733) (Windows event IDs for adding/removing members from security-enabled local groups).

      • group.name.keyword: Administrators (Ensures the action involves the "Administrators" group).

      • @timestamp >= "2023-03-05T00:00:00.000Z" (Limits the data to events occurring from March 5th, 2023, onward).

  2. Select the Index Pattern:

    • In the Index pattern field, specify windows* to focus on Windows-related logs.

  3. Verify Fields:

    • Use the search bar to confirm the presence of fields like:

      • winlog.event_data.MemberSid.keyword (The SID of the user being added/removed).

      • group.name.keyword (The name of the group involved in the action).

      • event.action.keyword (Indicates whether the user was added or removed).

      • host.name.keyword (The machine where the action occurred).

  4. Choose Visualization Type:

    • From the dropdown menu, select "Table" as the visualization type.

Step 3: Building the Table Visualization

  1. Configure Rows:

    • Click on "Rows" and configure the following fields to enhance understanding:

      • Field: winlog.event_data.MemberSid.keyword (Which user was added/removed?).

      • Field: group.name.keyword (To which group was the addition/removal performed? Double-check that it is the "Administrators" group).

      • Field: event.action.keyword (Was the user added or removed?).

      • Field: host.name.keyword (On which machine did the action occur?).

  2. Add Metrics:

    • Click on "Metrics" and select "Count" as the metric.

    • The table will populate with data showing the count of additions/removals per user, group, and machine.

  3. Save the Visualization:

    • Click on "Save and return" to add the visualization to the dashboard..

Step 4: Final Visualization

After completing the configuration, the final visualization will include:

  1. Columns:

    • User: Displays the SID of the user being added or removed (winlog.event_data.MemberSid.keyword).

    • Group: Shows the name of the group involved in the action (group.name.keyword).

    • Action: Indicates whether the user was added or removed (event.action.keyword).

    • Machine: Displays the hostname where the action occurred (host.name.keyword).

    • Count: The number of times the event has occurred (based on the specified timeframe).

  2. Filters:

    • Only events with event.code: (4732 OR 4733), group.name.keyword: Administrators, and @timestamp >= "2023-03-05T00:00:00.000Z" are included.

  3. Sorting:

    • Sort the table by the timestamp (@timestamp) in descending order to prioritize recent events

    • .

Step 5: Review and Save

  1. Review the Dashboard:

    • Navigate back to the Dashboard page to view the new visualization.

    • Ensure that the table displays accurate and actionable insights.

  2. Save the Dashboard:

    • Click on the "Save" button to save your progress.

Key Takeaways

  1. Monitor Privileged Group Changes:

    • Changes to the local "Administrators" group can have significant security implications. Monitoring these changes helps detect unauthorized access or privilege escalation attempts.

  2. Leverage Event Logs:

    • The event.code: 4732 and event.code: 4733 logs provide critical information about additions and removals from security-enabled local groups.

  3. Visualization Enhances Clarity:

    • Using a table visualization allows SOC analysts to quickly identify patterns, such as repeated additions/removals on specific machines or involving specific users.

  4. Best Practices:

    • Use .keyword fields for aggregations to ensure accurate results.

    • Regularly refine filters to exclude irrelevant data and reduce noise.

    • Combine visualizations into dashboards for a comprehensive view of security events.

Example Use Case

  • Scenario: An attacker gains administrative privileges by adding their account to the local "Administrators" group. This generates an event with event.code: 4732 and group.name.keyword: Administrators.

  • Action: The SOC team can use this visualization to:

    • Identify unauthorized additions to privileged groups.

    • Investigate the source of the change (e.g., specific machines or users).

    • Revert unauthorized changes and strengthen access controls.

By following these steps, you can create a robust visualization for monitoring user additions or removals from the local "Administrators" group, enabling your SOC team to proactively detect and respond to potential threats.