The following analytic detects the creation and deletion of accounts in a short time period to identify potential threats earlier and take appropriate actions to mitigate the risks. Helps prevent or minimize the potential damage caused by unauthorized access or malicious activities within the environment. This detection is made by a Splunk query that searches for events with the result IDs 4720 and 4726 in the "Change" data model. The query then groups the results by time, user, and destination. The result is filtered to only include events with the specified result IDs. The "transaction" command is used to group events that occur within a specified time span and have the same user but are not connected. Finally, the relevant information such as the first and last time of the event, the count, user, destination, and result ID are displayed in a table. This detection is important because it suggests that an attacker is attempting to create and delete accounts rapidly, potentially to cover their tracks or gain unauthorized access. The impact of such an attack can include unauthorized access to sensitive data, privilege escalation, or the ability to carry out further malicious activities within the environment. Next steps include investigating the events flagged by the analytic, review the account creation and deletion activities, and analyze any associated logs or artifacts to determine the intent and impact of the attack.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2020-07-06
- Author: David Dorsey, Splunk
- ID: b25f6f62-0782-43c1-b403-083231ffd97d
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 7 8 9 | tstats `security_content_summariesonly` values(All_Changes.result_id) as result_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Change where All_Changes.result_id=4720 OR All_Changes.result_id=4726 by _time span=4h All_Changes.user All_Changes.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name("All_Changes")` | search result_id = 4720 result_id=4726 | transaction user connected=false maxspan=240m | table firstTime lastTime count user dest result_id | `short_lived_windows_accounts_filter`
The SPL above uses the following Macros:
short_lived_windows_accounts_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/
Known False Positives
It is possible that an administrator created and deleted an account in a short time period. Verifying activity with an administrator is advised.
Associated Analytic Story
|63.0||70||90||A user account created or delete shortly in host $dest$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 2