Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect_new_local_admin_account.yml query update #2073

Open
TheLawsOfChaos opened this issue Mar 8, 2022 · 3 comments
Open

detect_new_local_admin_account.yml query update #2073

TheLawsOfChaos opened this issue Mar 8, 2022 · 3 comments
Assignees
@P4T12ICK
Labels
bug Something isn't working

Comments

@TheLawsOfChaos
Copy link
Contributor

https://github.com/splunk/security_content/blob/develop/detections/endpoint/detect_new_local_admin_account.yml

The intention per documentation of this query is to locate user account creations (EventCode 4720) followed by being raised to Local Admin (EventCode 4732) in a short period.

The initial query is :

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
  | transaction member_id connected=false maxspan=180m | rename member_id as user 
  | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`|
  `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

While the initial search pulls back all of both event types, there is no search being run to locate transacted events with BOTH eventcodes. Also, the member_id field isn't needed, as there is already a user field.

I propose it be changed to this:

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction user connected=false maxspan=180m startswith="EventCode=4720" endswith="EventCode=4732"
| stats count min(_time) as firstTime max(_time) as lastTime values(EventCode) as EventCode by user dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_new_local_admin_account_filter`
@TheLawsOfChaos
Copy link
Contributor Author

Further investigation into this showcases the Windows TA isn't playing nice with these events, and that the 4732's by default aren't standardized. So while the startswith / endswith should be added, the user extraction isn't quite as easy to implement.

@P4T12ICK
Copy link
Collaborator

I did today also some testing and you are right. It is not so trivial. It will need some further parsing to prepare the fields as needed.

@josehelps josehelps added the bug Something isn't working label Jul 20, 2022
@0xC0FFEEEE
Copy link
Contributor

0xC0FFEEEE commented Mar 27, 2024
edited
Loading

Hey @P4T12ICK I picked up on this flaw and it looks like the TA does now normalize 4732.

This is the updated rule that I've come up with that appears to work as intended:

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) 
| transaction user dest connected=false maxspan=180m 
| stats count min(_time) as firstTime max(_time) as lastTime dc(EventCode) as distinct_eventcodes by src_user user dest
| where distinct_eventcodes>1
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `detect_new_local_admin_account_filter`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@P4T12ICK P4T12ICK

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@josehelps @P4T12ICK @TheLawsOfChaos @0xC0FFEEEE