LoFP / service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. filter as needed.

Techniques

• T1078
• T1098

Sample rules

Windows Multiple Accounts Deleted

• source: splunk
• technicques:
  • T1098
  • T1078

Description

The following analytic flags when more than five unique Windows accounts are deleted within a 10-minute period, identified by Event Code 4726 in the Windows Security Event Log. Using the wineventlog_security dataset, it segments data into 10-minute intervals to monitor account deletions, a pattern that could suggest malicious intent like an attacker erasing traces. Teams should adjust the detection’s threshold and timeframe to suit their specific environment.

Detection logic

 `wineventlog_security` EventCode=4726 status=success 
| bucket span=10m _time 
| stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID 
| where unique_users > 5 
| `windows_multiple_accounts_deleted_filter`

Windows Multiple Account Passwords Changed

• source: splunk
• technicques:
  • T1098
  • T1078

Description

This Splunk detection identifies situations where over five unique Windows account passwords are changed within a 10-minute interval, captured by Event Code 4724 in the Windows Security Event Log. The query utilizes the wineventlog_security dataset, organizing data into 10-minute periods to monitor the count and distinct count of TargetUserName, the accounts with altered passwords. Rapid password changes across multiple accounts are atypical and might indicate unauthorized access or an internal actor compromising account security. Teams should calibrate the detection’s threshold and timeframe to fit their specific operational context.

Detection logic

 `wineventlog_security` EventCode=4724 status=success 
| bucket span=10m _time 
| stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID 
| where unique_users > 5 
| `windows_multiple_account_passwords_changed_filter`

Windows Multiple Accounts Disabled

• source: splunk
• technicques:
  • T1098
  • T1078

Description

This Splunk detection focuses on instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. The query analyzes the wineventlog_security dataset, grouping data into 10-minute segments, and tracks the count and distinct count of TargetUserName, the accounts being disabled. This pattern of disabling multiple accounts rapidly is unusual and could signal internal policy breaches or an external attacker’s attempt to disrupt normal operations. Teams are advised to tailor the threshold and timeframe of this detection to their environment’s specifics

Detection logic

 `wineventlog_security` EventCode=4725 status=success 
| bucket span=10m _time 
| stats count dc(user) as unique_users values(user) as user by EventCode signature _time src_user SubjectDomainName TargetDomainName Logon_ID 
| where unique_users > 5 
| `windows_multiple_accounts_disabled_filter`