All Apps and Add-ons

Are there any examples of how to detect new local admin accounts?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to detect new local admin accounts?

Labels (1)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

This example finds new local admin accounts created on a host, particularly a privileged host, and make sure they are valid. New local admin accounts can be a source of concern. Organizations can use local admin accounts for certain applications or to assess if there is an issue contacting their network domain controller. But malware, malicious intruders, and even insiders also create local admin accounts to gain access through password changes and account deactivations. 

Load data

How to implement: This example use case depends on Windows security data.

Install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs for additional guidance on making sure account creation events ( EventCode=4720)or account changes with group membership events ( EventCode=4732) are being collected.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Get insights

Legitimate technicians use local admin accounts, but attackers use them too. This search looks for new accounts that are elevated to local admins. The example search here assumes the local admin group name is administrators. If it is not, then replace references to administrators with the local admin group name from your environment.

Run the following search.

index=* source="*WinEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators) 
| transaction Security_ID maxspan=180m connected=false
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account_Name Target_Account_Name Mes

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: This search generates a false positives when it finds a help desk admin who creates local admin accounts. If this is common practice in your environment, exclude the usernames for the admin account from the base search.

How to respond: When this search returns values, initiate your incident response process and capture the time of the creation, the user accounts that created the account, and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have from another another party and additional investigation is warranted.

Help

See the following video for more details related to this use case.
detect new local admin accounts

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

This example finds new local admin accounts created on a host, particularly a privileged host, and make sure they are valid. New local admin accounts can be a source of concern. Organizations can use local admin accounts for certain applications or to assess if there is an issue contacting their network domain controller. But malware, malicious intruders, and even insiders also create local admin accounts to gain access through password changes and account deactivations. 

Load data

How to implement: This example use case depends on Windows security data.

Install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs for additional guidance on making sure account creation events ( EventCode=4720)or account changes with group membership events ( EventCode=4732) are being collected.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Get insights

Legitimate technicians use local admin accounts, but attackers use them too. This search looks for new accounts that are elevated to local admins. The example search here assumes the local admin group name is administrators. If it is not, then replace references to administrators with the local admin group name from your environment.

Run the following search.

index=* source="*WinEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators) 
| transaction Security_ID maxspan=180m connected=false
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account_Name Target_Account_Name Mes

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: This search generates a false positives when it finds a help desk admin who creates local admin accounts. If this is common practice in your environment, exclude the usernames for the admin account from the base search.

How to respond: When this search returns values, initiate your incident response process and capture the time of the creation, the user accounts that created the account, and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have from another another party and additional investigation is warranted.

Help

See the following video for more details related to this use case.
detect new local admin accounts

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

dbroggy
Path Finder

I'm not seeing this Security_ID field for the transaction in my windows logs, I understand the rest of your logic perfectly.

0 Karma

PickleRick
Ultra Champion

Hi @dbroggy 

I’m a Community Moderator in the Splunk Community. Thanks for contributing as a member in the forum!

This question was posted 2 years ago and might not get the attention you need for your own question to be answered. Furthermore, your additional question is not directly related to the original one and the topic of this thread. I suggest you please post a brand new question so your issue can get more visibility. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...