New Local Admin Account

Description

Local admin accounts are used by legitimate technicians, but they're also used by attackers. This search looks for newly created accounts that are elevated to local admins.


Use Case

Advanced Threat Detection, Security Monitoring, Compliance

Category

Endpoint Compromise

Security Impact

New local admin accounts are often a source of concern. Most organizations will deploy a small number of local admin accounts, used for particular applications or for access in the case of an issue contacting their network domain controller. On the other hand, malware, malicious intruders, and even insiders love to create local admin accounts because it allows them to maintain access through password changes, account deactivations, or in the case of malicious insiders, leaving the company. Whenever a local admin account is created on a host, particularly a privileged host, it is important to make sure that it is valid.

Alert Volume

Medium (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Defense Evasion
Persistence

MITRE ATT&CK Techniques

Valid Accounts
Create Account

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leafminer
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Command and Control

Data Sources

Windows Security

   How to Implement

First, verify that you have Windows Security Logs coming in, and that you have implemented account change auditing (see the Windows Security data source documentation). Once your logs are coming in, you should be able to search for source="*WinEventLog:Security" EventCode=4720 OR EventCode=4732 to see account creation or change events. Finally, make sure that your local admin group name is "administrators" so that we are looking for the right group membership changes.

   Known False Positives

The only real source of false positives for this search would be for help desk admins who create local admin accounts. If this is common practice in your environment, you should filter out their admin account creation messages by excluding their usernames from the base search.

If your local admin group doesn't include the term "administrators" then it would potentially generate false negatives.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the creation, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials have been used by another party and additional investigation is warranted.

   Help

New Local Admin Account Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user creation and group modification. We then use the transaction command to group an account create, and an addition to the local administrators group, in a short period of time. Anything that matches, we will surface.

SPL for New Local Admin Account

Demo Data

First we pull in our demo dataset.
This line won't exist in production, it is just so that we can format the demo data (coming from a CSV file) correctly.
Next we filter to make sure we're looking for just account creation events or account changes with group membership events.
Transaction will now group everything together so that we can see multiple events occurring to the same username.
We can now filter for users where both event IDs occurred.
Finally we can display everything in a nice table for the user to consume.

Live Data

First we pull in our dataset, of Windows Security Logs with account creation events or account changes with group membership events.
Transaction will now group everything together so that we can see multiple events occurring to the same username.
Now we can filter to just transactions with both event IDs
Finally we can display everything in a nice table for the user to consume.