HowTo: FireEye HX Alerts When Adding to Local Admin Groups


October 10, 2019

How to Alert Using FireEye HX When a User is Added to the Local Admin Group

FireEye Endpoint Security (HX) is a next generation solution for cybersecurity threat prevention, detection and response. It is an agent-based solution with signature, behavioral and intelligence detection engines. It also has MalwareGuard, a machine learning based protection engine based on FireEye’s front-line cyber war detection and incident response expertise. Additionally, HX has deep endpoint visibility with its forensic capabilities. It can collect extensive technical information from an endpoint to investigate a compromise.

Many organizations do not have solutions to monitor, maintain or secure local admin accounts across their network. Bad guys can exploit poor Windows security implementations and compliance to escalate local credentials to a privileged user. FireEye HX can help identify when an account has been escalated.

In addition to the HX detection engines, you can also create custom detection rules with or without utilizing an open API. The HX API can be accessed through customs scripts, SOAR solutions like Demisto and some pre-made tools from FireEye. One such tool, HXTool is needed to create the rule to detect when a user account is added to the local admins group of a Windows device. HXTool utilizes Python to interact with the API. If you don’t already have HXTool configured for your HX deployment, the latest version can be downloaded from the FireEye Marketplace along with the documentation and setup instructions. The device where the HXTool console will be located requires Python to be installed.

In the HXTool console, create the following rule called New Local Admin.

or
    and    
        fileWriteEvent/textAtLowestOffset contains add-localgroupmember        
        fileWriteEvent/textAtLowestOffset contains administrators        
    and    
        processEvent/process equal net.exe        
        processEvent/processCmdLine starts-with net localgroup administrators        
        processEvent/processCmdLine contains add

The rule has two conditions – one for adding the account to the local admins group using the command line and the other detects when the account is added using PowerShell. If either condition is met, a HX alert will be generated.

If an account is elevated to the local admins group through the Windows GUI, this rule will not detect the event. Although the HX agent can collect Windows event logs as part of a data acquisition for further investigation, it cannot provide a real-time alert for the occurrence of an event ID in the security logs. Such an alert requires that the proper Windows auditing be enabled and a SIEM such as FireEye Helix to collect the event logs. I will discuss Windows event collection and SIEM alerts in depth in future blog posts.

If you have any questions about FireEye HX, HXTool or this rule, please reach out to me at ghedge@castleventures.com.