Detection rules › Splunk
Windows Multiple Accounts Deleted
The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the wineventlog_security dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078 Valid Accounts, T1098 Account Manipulation |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4726 | A user account was deleted. |
Stages and Predicates
Stage 1: search
search EventCode=4726 status="success"
Stage 2: bucket
bucket span=10m _time
Stage 3: stats
stats dc(user) AS unique_users, … AS user, … AS dest BY EventCode, signature, _time, src_user, SubjectDomainName, TargetDomainName, Logon_ID
Stage 4: where
where unique_users>5
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
status | eq |
|
unique_users | gt |
|