Try in Splunk Security Cloud

Description

This search detects accounts that were created and deleted in a short time period.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2020-07-06
  • Author: David Dorsey, Splunk
  • ID: b25f6f62-0782-43c1-b403-083231ffd97d

ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence
T1136 Create Account Persistence

| tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name("All_Changes")` 
| search result_id = 4720 result_id=4726 
| transaction user connected=false maxspan=240m 
| table firstTime lastTime count user dest result_id 
| `short_lived_windows_accounts_filter`

Associated Analytic Story

How To Implement

This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/

Required field

  • _time
  • All_Changes.result_id
  • All_Changes.user
  • All_Changes.dest

Kill Chain Phase

Known False Positives

It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.

RBA

Risk Score Impact Confidence Message
63.0 70 90 A user account created or delete shortly in host $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2