This example finds new local admin accounts created on a host, particularly a privileged host, and make sure they are valid. New local admin accounts can be a source of concern. Organizations can use local admin accounts for certain applications or to assess if there is an issue contacting their network domain controller. But malware, malicious intruders, and even insiders also create local admin accounts to gain access through password changes and account deactivations.
How to implement: This example use case depends on Windows security data.
Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.
Legitimate technicians use local admin accounts, but attackers use them too. This search looks for new accounts that are elevated to local admins. The example search here assumes the local admin group name is administrators. If it is not, then replace references to administrators with the local admin group name from your environment.
Known false positives: This search generates a false positives when it finds a help desk admin who creates local admin accounts. If this is common practice in your environment, exclude the usernames for the admin account from the base search.
How to respond: When this search returns values, initiate your incident response process and capture the time of the creation, the user accounts that created the account, and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have from another another party and additional investigation is warranted.
See the following video for more details related to this use case.
If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.
For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.