Does anyone have examples of how to use Splunk to detect new interactive login from a service account?
The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.
Legitimate technicians use local admin accounts, but attackers use them too. In this use case, we'll search for new accounts that are elevated to local admins. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.
This use case depends on Windows Security EventID 4720 or 4732 Audit Logs.
Best practice: Use the Splunk Add-on for Microsoft Windows to accelerate time to value the necessary Windows filesystem data. For details, see Is it a best practice to use the Splunk Add-on for Microsoft Windows? on Splunk Answers.
[WinEventLog://Security]
input in the add-on to collect Windows security data. For details, see our post How do I collect basic Windows OS Event Log data from my Windows systems? on Splunk Answers.index=* source="win*security" EventCode=4720 OR (EventCode=4732 Administrators) | head 10
This search looks for new accounts elevated to local admins. It finds Windows Security Events with account creation events or account changes with group membership events and puts those events together as a single transaction for each unique username.
Best practice: In searches, replace the asterisk in index=
with the name of the index that contains the data. By default, Splunk stores data in the 'main' index. Therefore, index=
becomes
index=main
. Use the OR
operator to specify one or multiple indexes to search.
For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
index=* source="winEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators)
| transaction Security_ID maxspan=180m
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account_Name Target_Account_Name Message
Known false positives: The only false positives for this search is for help desk admins who create local admin accounts. If this is common practice in the environment, filter out the admin account creation messages by excluding the usernames from the base search. If the local admin group does not include the term administrators, then it can potentially generate false negatives.
How to respond: When this search returns values, initiate the incident response process and capture the time of the creation, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, it's possible another person used the user credentials and additional investigation is warranted.
If no results appear, you may need to deploy the Splunk Add-on for Microsoft Windows to the search heads to use the knowledge objects necessary for simple searching.
Watch the following video to see an example of how to use Splunk Enterprise to find new local admin accounts.
The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.
Legitimate technicians use local admin accounts, but attackers use them too. In this use case, we'll search for new accounts that are elevated to local admins. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.
This use case depends on Windows Security EventID 4720 or 4732 Audit Logs.
Best practice: Use the Splunk Add-on for Microsoft Windows to accelerate time to value the necessary Windows filesystem data. For details, see Is it a best practice to use the Splunk Add-on for Microsoft Windows? on Splunk Answers.
[WinEventLog://Security]
input in the add-on to collect Windows security data. For details, see our post How do I collect basic Windows OS Event Log data from my Windows systems? on Splunk Answers.index=* source="win*security" EventCode=4720 OR (EventCode=4732 Administrators) | head 10
This search looks for new accounts elevated to local admins. It finds Windows Security Events with account creation events or account changes with group membership events and puts those events together as a single transaction for each unique username.
Best practice: In searches, replace the asterisk in index=
with the name of the index that contains the data. By default, Splunk stores data in the 'main' index. Therefore, index=
becomes
index=main
. Use the OR
operator to specify one or multiple indexes to search.
For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
index=* source="winEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators)
| transaction Security_ID maxspan=180m
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account_Name Target_Account_Name Message
Known false positives: The only false positives for this search is for help desk admins who create local admin accounts. If this is common practice in the environment, filter out the admin account creation messages by excluding the usernames from the base search. If the local admin group does not include the term administrators, then it can potentially generate false negatives.
How to respond: When this search returns values, initiate the incident response process and capture the time of the creation, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, it's possible another person used the user credentials and additional investigation is warranted.
If no results appear, you may need to deploy the Splunk Add-on for Microsoft Windows to the search heads to use the knowledge objects necessary for simple searching.
Watch the following video to see an example of how to use Splunk Enterprise to find new local admin accounts.
I just changed to video to another that is a stronger match to this content.
Added related video.