security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

detect_new_local_admin_account.yml query update

Open TheLawsOfChaos opened this issue 2 years ago • 3 comments

https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_new_local_admin_account.yml

The intention per documentation of this query is to locate user account creations (EventCode 4720) followed by being raised to Local Admin (EventCode 4732) in a short period.

The initial query is :

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
  | transaction member_id connected=false maxspan=180m | rename member_id as user 
  | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`|
  `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

While the initial search pulls back all of both event types, there is no search being run to locate transacted events with BOTH eventcodes. Also, the member_id field isn't needed, as there is already a user field.

I propose it be changed to this:

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction user connected=false maxspan=180m startswith="EventCode=4720" endswith="EventCode=4732"
| stats count min(_time) as firstTime max(_time) as lastTime values(EventCode) as EventCode by user dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_new_local_admin_account_filter`

TheLawsOfChaos avatar Mar 08 '22 17:03 TheLawsOfChaos

Further investigation into this showcases the Windows TA isn't playing nice with these events, and that the 4732's by default aren't standardized. So while the startswith / endswith should be added, the user extraction isn't quite as easy to implement.

TheLawsOfChaos avatar Mar 08 '22 18:03 TheLawsOfChaos

I did today also some testing and you are right. It is not so trivial. It will need some further parsing to prepare the fields as needed.

P4T12ICK avatar Mar 10 '22 16:03 P4T12ICK

Hey @P4T12ICK I picked up on this flaw and it looks like the TA does now normalize 4732.

This is the updated rule that I've come up with that appears to work as intended:

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction user connected=false maxspan=180m 
| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest
| where distinct_eventcodes>1
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `detect_new_local_admin_account_filter`

0xC0FFEEEE avatar Mar 27 '24 13:03 0xC0FFEEEE