splApache-2.0from splunk/security_content
Detect New Local Admin account
The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_new_local_admin_account.yml
`wineventlog_security`
(
EventCode=4720
OR
(
EventCode=4732
AND
(
Group_Name=Administrators
OR
TargetUserName=Administrators
)
)
)
| transaction user dest connected=false maxspan=180m
| stats count min(_time) as firstTime
max(_time) as lastTime
dc(EventCode) as distinct_eventcodes
by src_user user dest
| where distinct_eventcodes > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_local_admin_account_filter`