LoFP / the activity may be legitimate. for this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. if your local administrator group name is not \"administrators\", this search may generate an excessive number of false positives

Techniques

• T1136.001

Sample rules

Detect New Local Admin account

• source: splunk
• technicques:
  • T1136.001

Description

The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.

Detection logic

`wineventlog_security`
(
  EventCode=4720 
  OR
  (
    EventCode=4732
    AND
    (
      Group_Name=Administrators
      OR
      TargetUserName=Administrators
    )
  )
)

| transaction user dest connected=false maxspan=180m

| stats count min(_time) as firstTime 
              max(_time) as lastTime 
              dc(EventCode) as distinct_eventcodes 
  by src_user user dest

| where distinct_eventcodes > 1

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `detect_new_local_admin_account_filter`