detection.wiki

Detection rules › Splunk

Windows Increase in User Modification Activity

Author
Dean Luxton
Source
upstream

This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation
Privilege EscalationT1098 Account Manipulation
Defense EvasionT1562 Impair Defenses

Event coverage

ProviderEvent IDTitle
Security-Auditing4720A user account was created.
Security-Auditing4722A user account was enabled.
Security-Auditing4723An attempt was made to change an account's password.
Security-Auditing4724An attempt was made to reset an account's password.
Security-Auditing4725A user account was disabled.
Security-Auditing4726A user account was deleted.
Security-Auditing4728A member was added to a security-enabled global group.
Security-Auditing4732A member was added to a security-enabled local group.
Security-Auditing4733A member was removed from a security-enabled local group.
Security-Auditing4738A user account was changed.
Security-Auditing4743A computer account was deleted.
Security-Auditing4780The ACL was set on accounts which are members of administrators groups.

Stages and Predicates

Stage 1: search

search EventCode IN (4720, 4722, 4723, 4724, 4725, 4726, 4728, 4732, 4733, 4738, 4743, 4780)

Stage 2: bucket

bucket span=5m _time

Stage 3: stats

stats BY _time, src_user, signature, status

Stage 4: eventstats

eventstats avg(userCount) AS comp_avg BY src_user, signature

Stage 5: eval

eval ... using (comp_avg, comp_std)

Stage 6: eval

eval ... using (upperBound, userCount)

Stage 7: search

search isOutlier=1

Stage 8: stats

stats BY _time, src_user, status

Stage 9: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodein
  • 4720
  • 4722
  • 4723
  • 4724
  • 4725
  • 4726
  • 4728 corpus 3 (splunk 3)
  • 4732
  • 4733
  • 4738 corpus 2 (splunk 2)
  • 4743
  • 4780
isOutliereq
  • 1 corpus 16 (splunk 16)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.