Detection rules › Splunk
Windows Multiple Accounts Disabled
The following analytic identifies instances where more than five unique Windows accounts are disabled within a 10-minute window, as indicated by Event Code 4725 in the Windows Security Event Log. It leverages the wineventlog_security dataset, grouping data into 10-minute segments and tracking the count and distinct count of TargetUserName. This behavior is significant as it may indicate internal policy breaches or an external attacker's attempt to disrupt operations. If confirmed malicious, this activity could lead to widespread account lockouts, hindering user access and potentially disrupting business operations.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078 Valid Accounts, T1098 Account Manipulation |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4725 | A user account was disabled. |
Stages and Predicates
Stage 1: search
search EventCode=4725 status="success"
Stage 2: bucket
bucket span=10m _time
Stage 3: stats
stats dc(user) AS unique_users, … AS user, … AS dest BY EventCode, signature, _time, src_user, SubjectDomainName, TargetDomainName, Logon_ID
Stage 4: where
where unique_users>5
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
status | eq |
|
unique_users | gt |
|