forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlocal_admin_account_creation.yml
More file actions
126 lines (120 loc) · 4.8 KB
/
local_admin_account_creation.yml
File metadata and controls
126 lines (120 loc) · 4.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
asset_type: Windows
confidence: medium
creation_date: '2018-03-26'
data_metadata:
data_eventtypes:
- wineventlog_security
data_source:
- Windows Event Logs
providing_technologies:
- Microsoft Windows
description: This search looks for newly created accounts that have been elevated
to local administrators.
detect:
splunk:
correlation_rule:
notable:
nes_fields: user,src_user, dest
rule_description: The new user account $user$ was created on $dest$ by $src_user$.
rule_title: New local admin account $user$ created by $src_user$.
risk:
risk_object: user
risk_object_type:
- system
risk_score: 40
schedule:
cron_schedule: 0 9 * * *
earliest_time: -1440m@m
latest_time: -10m@m
search: eventtype = wineventlog_security signature_id=4720 OR (signature_id=4732
Group_Name= Administrators) | transaction Security_ID connected=false maxspan=180m | search
signature_id=4720 signature_id=4732 | table _time user dest signature_id Security_ID
Group_Name src_user Message
suppress:
suppress_fields: user
suppress_period: 86400s
eli5: This search looks for Windows Event Code 4720 (account creation) and 4732 (account
added to a security-enabled local group), where the group name is "Administrators",
and determines whether they are generated for the same user's Security ID within
three hours of each other. It will return the user account that was added, the
Security ID, the group name to which the user was added, the account name of the
user who initiated the action, and the subsequent message returned.
entities:
- user
how_to_implement: 'You must be ingesting Windows Security logs. You must also enable
the account change auditing here:http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata.
Additionally, this search requires you to enable your Group Management Audit Logs
in your Local Windows Security Policy and to be ingesting those logs. More information
on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/.
Finally, please make sure that the local administrator group name is "Administrators"
to be able to look for the right group membership changes.\
This search produces fields (`Security_ID`,`Group_Name`,`Message`) that are not
yet supported by ES Incident Review and therefore cannot be viewed when a notable
event is raised. These fields contribute additional context to the notable. To see
the additional metadata, add the following fields, if not already present, to Incident
Review - Event Attributes (Configure > Incident Management > Incident Review Settings
> Add New Entry):\\n1. **Label:** Security ID, **Field:** Security_ID\
1. \
1. **Label:** Group Name, **Field:** Group_Name\
1. \
1. **Label:** Message, **Field:** Message\
Detailed documentation on how to create a new field within Incident Review may be
found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`'
id: b25f6f62-0712-43c1-b203-083231ffd97d
investigations:
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
name: Get Authentication Logs For Endpoint
type: splunk
- id: fecf2918-670d-4f1c-872b-3d7317a41bf9
name: Get Parent Process Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d55
name: Get Risk Modifiers For User
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
name: Get Process Info
type: splunk
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
name: Get Notable Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d65
name: Get Risk Modifiers For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
name: Get User Information from Identity Table
type: splunk
known_false_positives: The activity may be legitimate. For this reason, it's best
to verify the account with an administrator and ask whether there was a valid service
request for the account creation. If your local administrator group name is not
"Administrators", this search may generate an excessive number of false positives
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
mappings:
cis20:
- CIS 16
kill_chain_phases:
- Actions on Objectives
- Command and Control
mitre_attack:
- Valid Accounts
- Defense Evasion
- Persistence
nist:
- PR.AC
- DE.CM
modification_date: '2019-02-28'
name: Detect New Local Admin account
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references: []
security_domain: access
spec_version: 2
type: splunk
version: '1.0'