Multiple Account Disabled by an Administrator

Description

Detect multiple accounts being disabled by an Administrator

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Compliance

Category

Compliance, Privileged User Monitoring

Security Impact

Often used as a pre-attack method, disabling of bulk user-accounts can act as a Denial of Service attack, (often as a simple distraction) to cause havoc in the Security Operations Center and IT Department.

This search can also be used to verify that a series of accounts has been disabled when a furlough or layoff occurs.

Alert Volume

Medium

SPL Difficulty

Easy

Journey

Stage 1

MITRE ATT&CK Tactics

Persistence
Initial Access
Credential Access

MITRE ATT&CK Techniques

Valid Accounts
Account Manipulation

MITRE Threat Groups

APT18
APT28
APT3
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Lazarus Group
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
UNC2452
Wizard Spider
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   How to Implement

You should configure your audit policy to include these events (4725 and 629) and log the events using a Splunk Universal Forwarder or via other means. You’ll also want to manually edit the assets/identity list to define a few privileged administrator/privileged accounts.

   Known False Positives

The biggest potential false positive from this detection if a legitimate account is used to bulk disable accounts as part of an active directory cleanup service, disabling user-accounts which have not been used in X number of days/weeks, etc.

Beyond that, there are no known sources of false positives for this search.

   How To Respond

When this search returns values, initiate your incident response process and verify whether this account owner has authority to bulk disable accounts. If not, if not, begin remediation process.

   Help

Multiple Account Disabled by an Administrator Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows security events for user user account disable. We filter for that in a short period of time. Anything a series of matches hits, we will surface.

SPL for Multiple Account Disabled by an Administrator

Live Data

Here we start with a a data set from the Windows event codes we are considering
We count the number of events by user host and event name
This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged.
Filter on privileged users only.