Short Lived Windows Accounts

Description

This search detects accounts that were created and deleted in a short time period.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Best Practices

Alert Volume

This search detects accounts that were created and deleted in a short time period.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Persistence

MITRE ATT&CK Techniques

Create Account

Local Account

MITRE Threat Groups

APT3
APT39
APT41
Dragonfly 2.0
Leafminer

Data Sources

Windows Security

   Help

Short Lived Windows Accounts Help

This search requires you to have enabled your Group Management Audit Logs in your Local Windows Security Policy and be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/

   Search

Open in Search