Open TheLawsOfChaos opened 2 years ago
TheLawsOfChaos
commented
2 years ago Further investigation into this showcases the Windows TA isn't playing nice with these events, and that the 4732's by default aren't standardized. So while the startswith / endswith should be added, the user extraction isn't quite as easy to implement.
P4T12ICK
commented
2 years ago I did today also some testing and you are right. It is not so trivial. It will need some further parsing to prepare the fields as needed.
0xC0FFEEEE
commented
6 months ago Hey @P4T12ICK I picked up on this flaw and it looks like the TA does now normalize 4732.
This is the updated rule that I've come up with that appears to work as intended:
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
| transaction user dest connected=false maxspan=180m
| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest
| where distinct_eventcodes>1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_local_admin_account_filter`
https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_new_local_admin_account.yml
The intention per documentation of this query is to locate user account creations (EventCode 4720) followed by being raised to Local Admin (EventCode 4732) in a short period.
The initial query is :
While the initial search pulls back all of both event types, there is no search being run to locate transacted events with BOTH eventcodes. Also, the
member_idfield isn't needed, as there is already auserfield.I propose it be changed to this: