-
Notifications
You must be signed in to change notification settings - Fork 82
GroupMembers
Tony Phipps edited this page Nov 7, 2019
·
4 revisions
Defense Evasion, Privilege Escalation
Monitor users in the local administrator group on system.
SELECT UserDomain, UserName, GroupName
Defense Evasion, Persistence, Privilege Escalation
Monitor for accounts that may have been created by an adversary for persistence.
SELECT UserDomain, UserName, GroupName
Credential Access
Monitor for modification of accounts in correlation with other suspicious activity.
SELECT UserDomain, UserName, GroupName
- Unusual members of Administrators
- Unusual members of Power Users, Backup Operators, Remote Desktop Users, etc.