All Apps and Add-ons

Example of how to detect new local admin accounts?

Ultra Champion

Does anyone have examples of how to use Splunk to detect new local admin accounts?

0 Karma

Re: Example of how to detect new local admin accounts?

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

This example finds new local admin accounts created on a host, particularly a privileged host, and make sure they are valid. New local admin accounts can be a source of concern. Organizations can use local admin accounts for certain applications or to assess if there is an issue contacting their network domain controller. But malware, malicious intruders, and even insiders also create local admin accounts to gain access through password changes and account deactivations. 

Load data

How to implement: This example use case depends on Windows security data.

Install the add-on for Splunk Add-on for Microsoft Windows and enable the [WinEventLog://Security] input to collect Windows Event Log security data from endpoints. See the Data Source Onboarding Guides for Windows Security Logs for additional guidance on making sure account creation events ( EventCode=4720)or account changes with group membership events ( EventCode=4732) are being collected.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Get insights

Legitimate technicians use local admin accounts, but attackers use them too. This search looks for new accounts that are elevated to local admins. The example search here assumes the local admin group name is administrators. If it is not, then replace references to administrators with the local admin group name from your environment.

Run the following search.

index=* source="*WinEventLog:Security" EventCode=4720 OR (EventCode=4732 Administrators) 
| transaction SecurityID maxspan=180m connected=false
| search EventCode=4720 (EventCode=4732 Administrators)
| table _time EventCode Account
Name TargetAccountName Mes

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: This search generates a false positives when it finds a help desk admin who creates local admin accounts. If this is common practice in your environment, exclude the usernames for the admin account from the base search.

How to respond: When this search returns values, initiate your incident response process and capture the time of the creation, the user accounts that created the account, and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have from another another party and additional investigation is warranted.


See the following video for more details related to this use case.
detect new local admin accounts

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma