Short Lived Admin Accounts

Description

A technique used by attackers is to create an account, take some actions, and then delete it right away. This search will find those accounts on the local system.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Defense Evasion
Persistence

MITRE ATT&CK Techniques

Create Account
Defense Evasion

MITRE Threat Groups

APT3
APT41
Dragonfly 2.0
Leafminer
Soft Cell

Kill Chain Phases

Command and Control

Data Sources

Windows Security

   How to Implement

This search relies on the standard Windows Security events coming from a Windows Forwarder on a workstation or member server (so: not domain controllers). Implementation is as easy as just ingesting that data, specifying the correct index, and then running the search. If you are using a log source other than the Splunk TA for Windows (e.g., snare, WMI, etc.), you might need to adjust field names to match those in the search itself.

   Known False Positives

The biggest potential false positive from this detection is that technically it will fire for any account creation, not just admin accounts. It's difficult to put sufficient logic into a single search to detect admin accounts while also detecting short lived accounts (though it may be possible to combine with the new admin account detection in this app), and wasn't a big priority given how rare short lived accounts are in general.

Beyond that, there are no known sources of false positives for this search.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the creation and deletion events, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials have been used by another party and additional investigation is warranted.

   Help

Short Lived Admin Accounts Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user creation and user deletion. We filter for that, and then use the transaction command to group a create and delete in a short period of time. Anything that matches, we will surface.

SPL for Short Lived Admin Accounts

Demo Data

First we pull in our demo dataset.
This line won't exist in production, it is just so that we can format the demo data (coming from a CSV file) correctly.
Next we filter to make sure we're looking for just account creation events or account deletions.
Transaction will now group everything together so that we can see multiple events occurring to the same username.
We can now filter for users where both event IDs occurred.
Finally we can display everything in a nice table for the user to consume.

Live Data

First we pull in our dataset, of Windows Security Logs with account creation events or account deletions.
Windows Security Logs by default will have two fields for the Account_Name -- the acting username, and the target username. We want the latter (this isn't a canonical always-guaranteed command, but seems to work correctly in this scenario).
Transaction will now group everything together so that we can see multiple events occurring to the same username.
Finally we can display everything in a nice table for the user to consume.

Accelerated Data

Here, tstats gives us a super-fast count of account creation events or account deletion events.
Next we rename the fields make it easier to work with them.
Transaction will now group everything together so that we can see multiple events occurring to the same username.
Now we can filter for transactions with both events.