Try in Splunk Security Cloud

Description

This search looks for newly created accounts that have been elevated to local administrators.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2020-07-08
  • Author: David Dorsey, Splunk
  • ID: b25f6f62-0712-43c1-b203-083231ffd97d

Annotations

ATT&CK
ID Technique Tactic
T1136.001 Local Account Persistence
T1136 Create Account Persistence
Kill Chain Phase
  • Actions on Objectives
  • Command & Control
NIST
  • PR.AC
  • DE.CM
CIS20
  • CIS 16
CVE
1
2
3
4
5
6
7
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction member_id connected=false maxspan=180m 
| rename member_id as user 
| stats count min(_time) as firstTime max(_time) as lastTime by user dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_local_admin_account_filter`

Macros

The SPL above uses the following Macros:

Note that detect_new_local_admin_account_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • EventCode
  • Group_Name
  • member_id
  • dest
  • user

How To Implement

You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732

Known False Positives

The activity may be legitimate. For this reason, it’s best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not “Administrators”, this search may generate an excessive number of false positives

Associated Analytic story

RBA

Risk Score Impact Confidence Message
42.0 60 70 A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2