LoFP / the activity may be legitimate. for this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. if your local administrator group name is not \"administrators\", this search may generate an excessive number of false positives

Techniques

• T1136
• T1136.001

Sample rules

Detect New Local Admin account

• source: splunk
• technicques:
  • T1136.001
  • T1136

Description

The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.

Detection logic

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction user dest connected=false maxspan=180m 
| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest 
| where distinct_eventcodes>1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_new_local_admin_account_filter`