Name:Detect New Local Admin account id:b25f6f62-0712-43c1-b203-083231ffd97d version:6 date:2024-12-12 author:David Dorsey, Splunk status:production type:TTP Description:The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions. Data_source:
-Windows Event Log Security 4732
-Windows Event Log Security 4720
search:`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction user dest connected=false maxspan=180m | stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest | where distinct_eventcodes>1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`
how_to_implement:You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732 known_false_positives:The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives References: drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'DHS Report TA18-074A' - 'HAFNIUM Group' - 'CISA AA22-257A' - 'CISA AA24-241A' asset_type:Windows confidence:70 impact:60 message:A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not. mitre_attack_id: - 'T1136.001' - 'T1136' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'Group_Name' - 'member_id' - 'dest' - 'user' risk_score:42 security_domain:access
