detection.wiki

Detection rules › Splunk

Windows Increase in Group or Object Modification Activity

Author
Dean Luxton
Source
upstream

This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation
Privilege EscalationT1098 Account Manipulation
Defense EvasionT1562 Impair Defenses

Event coverage

ProviderEvent IDTitle
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4670Permissions on an object were changed.
Security-Auditing4727A security-enabled global group was created.
Security-Auditing4731A security-enabled local group was created.
Security-Auditing4734A security-enabled local group was deleted.
Security-Auditing4735A security-enabled local group was changed.
Security-Auditing4764A group’s type was changed.

Stages and Predicates

Stage 1: search

search EventCode IN (4670, 4727, 4731, 4734, 4735, 4764)

Stage 2: bucket

bucket span=5m _time

Stage 3: stats

stats BY _time, src_user, signature, status

Stage 4: eventstats

eventstats avg(objectCount) AS comp_avg BY src_user, signature

Stage 5: eval

eval ... using (comp_avg, comp_std)

Stage 6: eval

eval ... using (objectCount, upperBound)

Stage 7: search

search isOutlier=1

Stage 8: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodein
  • 4670
  • 4727 corpus 3 (splunk 3)
  • 4731 corpus 2 (splunk 2)
  • 4734
  • 4735
  • 4764
isOutliereq
  • 1 corpus 16 (splunk 16)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.