Short Lived Windows Accounts

Author: David Dorsey, Bhavin Patel, Splunk
Source: upstream

The following analytic detects the rapid creation and deletion of Windows accounts within a short time frame of 1 hour. It leverages the "Change" data model in Splunk, specifically monitoring events with result IDs 4720 (account creation) and 4726 (account deletion). This behavior is significant as it may indicate an attacker attempting to create and remove accounts quickly to evade detection or gain unauthorized access. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or further malicious actions within the environment. Immediate investigation of flagged events is crucial to mitigate potential damage.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078.003` Valid Accounts: Local Accounts
Persistence	`T1078.003` Valid Accounts: Local Accounts, `T1136.001` Create Account: Local Account
Privilege Escalation	`T1078.003` Valid Accounts: Local Accounts
Defense Evasion	`T1078.003` Valid Accounts: Local Accounts

Event coverage

Provider	Event ID	Title
Security-Auditing	4720	A user account was created.
Security-Auditing	4726	A user account was deleted.

Stages and Predicates

Stage 1: `tstats`

tstats WHERE (All_Changes.result_id=4720 OR All_Changes.result_id=4726) BY _time, All_Changes.user, All_Changes.dest, All_Changes.Account_Management.src, All_Changes.Account_Management.src_user

Stage 2: `search`

search

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search

Stage 6: `transaction` time_window=3600s

transaction user maxspan=60m

Stage 7: `eval`

eval ... using (result_id)

Stage 8: `eval`

eval ... using (result_id)

Stage 9: `search`

search create_result_id=4720 delete_result_id=4726

Stage 10: `table`

table count, create_result_id, delete_result_id, dest, firstTime, lastTime, src, src_user, user

Stage 11: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`All_Changes.result_id`	eq	`4720` corpus 2 (splunk 2) `4726`
`create_result_id`	eq	`4720`
`delete_result_id`	eq	`4726`

Short Lived Windows Accounts

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search

Stage 4: search

Stage 5: search

Stage 6: transaction time_window=3600s

Stage 7: eval

Stage 8: eval

Stage 9: search

Stage 10: table

Stage 11: search