Detection rules › Splunk
Windows AD Abnormal Object Access Activity
The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1087.002 Account Discovery: Domain Account |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4662 | An operation was performed on an object. |
Stages and Predicates
Stage 1: search
search EventCode=4662
Stage 2: stats
stats dc(ObjectName) AS ObjectName_count, … AS ObjectType BY SubjectUserName
Stage 3: eventstats
eventstats avg(ObjectName_count) AS average
Stage 4: eval
eval ... using (SubjectUserName, average, standarddev)
Stage 5: where
where ObjectName_count>
Stage 6: search
search
Stage 7: search
search
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows AD Privileged Object Access Activity (adds 1 filter)