Techniques
Sample rules
Windows Increase in User Modification Activity
- source: splunk
- technicques:
- T1098
- T1562
Description
This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.
Detection logic
`wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780)
| bucket span=5m _time
| stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status
| eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0)
| search isOutlier=1
| stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status
| `windows_increase_in_user_modification_activity_filter`