Detection rules › Splunk
Detect New Local Admin account
The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1136.001 Create Account: Local Account |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4720 | A user account was created. |
| Security-Auditing | 4732 | A member was added to a security-enabled local group. |
Stages and Predicates
Stage 1: search
search (((Group_Name="Administrators" OR TargetUserName="Administrators") EventCode=4732) OR EventCode=4720)
Stage 2: transaction time_window=10800s
transaction user, dest maxspan=180m
Stage 3: stats
stats dc(EventCode) AS distinct_eventcodes BY src_user, user, dest
Stage 4: where
where distinct_eventcodes>1
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Group_Name | eq |
|
TargetUserName | eq |
|
distinct_eventcodes | gt |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- User Added to Privileged Group in Active Directory
- A Member Was Added to a Security-Enabled Global Group
- Add or Remove Computer from DC
- Addition of SID History to Active Directory Object
- Windows AD Cross Domain SID History Addition
- Windows AD Privileged Account SID History Addition
- Windows AD Same Domain SID History Addition
- Windows Increase in User Modification Activity
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.