Open TheLawsOfChaos opened 2 years ago
Further investigation into this showcases the Windows TA isn't playing nice with these events, and that the 4732's by default aren't standardized. So while the startswith
/ endswith
should be added, the user extraction isn't quite as easy to implement.
I did today also some testing and you are right. It is not so trivial. It will need some further parsing to prepare the fields as needed.
Hey @P4T12ICK I picked up on this flaw and it looks like the TA does now normalize 4732.
This is the updated rule that I've come up with that appears to work as intended:
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
| transaction user dest connected=false maxspan=180m
| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest
| where distinct_eventcodes>1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_local_admin_account_filter`
https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_new_local_admin_account.yml
The intention per documentation of this query is to locate user account creations (EventCode 4720) followed by being raised to Local Admin (EventCode 4732) in a short period.
The initial query is :
While the initial search pulls back all of both event types, there is no search being run to locate transacted events with BOTH eventcodes. Also, the
member_id
field isn't needed, as there is already auser
field.I propose it be changed to this: