Name:Windows Increase in Group or Object Modification Activity id:4f9564dd-a204-4f22-b375-4dfca3a68731 version:2 date:2024-09-30 author:Dean Luxton status:production type:TTP Description:This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment. Data_source:
-Windows Event Log Security 4663
search:`wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) | bucket span=5m _time | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std) | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) | search isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter`
how_to_implement:Run this detection looking over a 7 day timeframe for best results. known_false_positives:Unknown References: drilldown_searches: name:'View the detection results for - "$src_user$"' search:'%original_detection_search% | search src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:40 impact:20 message:Spike in Group or Object Modifications performed by $src_user$ mitre_attack_id: - 'T1098' - 'T1562' observable: name:'src_user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:8 required_fields: - 'EventCode' - 'src_user' - 'signature' security_domain:audit
