Try in Splunk Security Cloud

Description

This search looks for newly created accounts that have been elevated to local administrators.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-07-08
  • Author: David Dorsey, Splunk
  • ID: b25f6f62-0712-43c1-b203-083231ffd97d

ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction member_id connected=false maxspan=180m 
| rename member_id as user 
| stats count min(_time) as firstTime max(_time) as lastTime by user dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_local_admin_account_filter`

Associated Analytic Story

How To Implement

You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732

Required field

  • _time
  • EventCode
  • Group_Name
  • member_id
  • dest
  • user

Kill Chain Phase

  • Actions on Objectives
  • Command and Control

Known False Positives

The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives

RBA

Risk Score Impact Confidence Message
42.0 60 70 A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2