Add malicious user to Admins and RDP users group via PowerShell

Hunt Hypothesis

Adding a malicious user to the Administrators and RDP users group via PowerShell indicates an adversary is attempting to elevate privileges and gain persistent access to the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and unauthorized administrative control.

KQL Query

DeviceProcessEvents 
| where InitiatingProcessFileName =~ 'powershell.exe' 
| where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')

Analytic Rule Definition

id: 44a201c4-502a-4b75-871e-a2dc7f6d2e98
name: Add malicious user to Admins and RDP users group via PowerShell
description: |
  Look for adding a user to Administrators in remote desktop users via PowerShell.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Persistence
query: |   
  DeviceProcessEvents 
  | where InitiatingProcessFileName =~ 'powershell.exe' 
  | where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Persistence

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Add malicious user to Admins and RDP users group via PowerShell.yaml)

False Positive Guidance

Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job runs a PowerShell script to add a user to the Administrators group as part of a system maintenance task.
Filter/Exclusion: Check for the presence of a known system maintenance script or job name (e.g., SystemMaintenance.ps1) and exclude any activity associated with the Task Scheduler or schtasks.exe.
Scenario: User Group Membership Sync via PowerShell
Description: An IT admin uses PowerShell to synchronize user group memberships across multiple domains, including adding a user to the Administrators group.
Filter/Exclusion: Filter by the presence of a known IT tool or script (e.g., ADSync.ps1) and exclude activities originating from the Domain Admins group or IT-Admin user account.
Scenario: Remote Desktop User Group Management
Description: An admin uses PowerShell to manage the Remote Desktop Users group, which may include adding a user to the Administrators group as a secondary role.
Filter/Exclusion: Exclude activities where the user is part of the Remote Desktop Users group and the script is executed from the Remote Desktop Services service or tscon.exe.
Scenario: Automated Deployment Script
Description: A deployment script adds a user to the Administrators group during a software installation or configuration process.
Filter/Exclusion: Exclude activities where the script is part of a known deployment tool (e.g., Chocolatey, Ansible, or Puppet) and the user is a service account or deployment user.
Scenario: User Account Creation via PowerShell
Description: A user account is created via PowerShell, and during the creation process, the user is automatically added to the Administrators group.
Filter/Exclusion: Exclude activities where the script is part of