Detection: Windows AD Abnormal Object Access Activity

Description

The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.

1`wineventlog_security` EventCode=4662 
2| stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName 
3| eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev 
4| eval limit = round((average+(standarddev*3)),0), user = SubjectUserName 
5| where ObjectName_count > limit 
6| `security_content_ctime(firstTime)` 
7| `security_content_ctime(lastTime)`
8| `windows_ad_abnormal_object_access_activity_filter`

Data Source

Name Platform Sourcetype Source
Windows Event Log Security 4662 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Security'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_ad_abnormal_object_access_activity_filter search *
windows_ad_abnormal_object_access_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1087 Account Discovery Discovery
T1087.002 Domain Account Discovery
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
Aquatic Panda
FIN13
APT41
BRONZE BUTLER
Chimera
Dragonfly
FIN13
FIN6
Fox Kitten
INC Ransom
Ke3chang
LAPSUS$
MuddyWater
OilRig
Poseidon Group
RedCurl
Sandworm Team
Scattered Spider
ToddyCat
Turla
Volt Typhoon
Wizard Spider
menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.

Known False Positives

Service accounts or applications that routinely query Active Directory for information.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$. 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Security XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Security XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3