Multiple Account Deletion by an Administrator

Description

Detect multiple accounts being deleted by an Administrator

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Compliance

Category

Compliance, Privileged User Monitoring

Security Impact

A technique used by attackers is to create multiple accounts, take a series of actions, and then delete the accounts to mask the activity. This search will find the account which has been used to deleted said accounts.

Alert Volume

Medium

SPL Difficulty

Easy

Journey

Stage 1

MITRE ATT&CK Tactics

Persistence
Initial Access
Credential Access

MITRE ATT&CK Techniques

Valid Accounts
Account Manipulation

MITRE Threat Groups

APT18
APT28
APT3
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Lazarus Group
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
UNC2452
Wizard Spider
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Azure
GCP
User Activity Audit
Windows Security
Audit Trail

Data Model

Change

   How to Implement

This search requires an accelerated authentication data model to run. If it is not present, consider ingesting Windows Security or Linux data via the Splunk Universal Forwarder or AWS, GCP or Azure vid the correct add-on, and then accelerating it with the Common Information App

   Known False Positives

The biggest potential false positive from this detection is that, technically, it will fire for any privileged account that is deleting accounts, not just admin accounts specifically. It's difficult to put sufficient logic into a single search to detect admin only accounts, as often, “privilege” is a general term which implies any user with rights above the average user. So while detecting group deletions from admins, it could also alert for any automated account which may be cleaning up Active Directory.

Beyond that, there are no known sources of false positives for this search.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the creation and deletion events, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the account owners, to verify whether or not this is authorized behavior. If not, begin to investigate actions taken by each account leading up to it’s deletion. If it is authorized behavior, document that this is authorized and by whom.

   Help

Multiple Account Deletion by an Administrator Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user user deletion. We filter for that in a short period of time. Anything that matches, we will surface.

SPL for Multiple Account Deletion by an Administrator

Live Data

Here we start with a a data set from the Change datamodel.
Filter on deletes only.
We list and count the number of deletions by source user.
Only show users that have deleted more than 1 account.
This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged.
Filter on privileged users only.