splApache-2.0from splunk/security_content
Windows AD Abnormal Object Access Activity
The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_abnormal_object_access_activity.yml
`wineventlog_security` EventCode=4662
| stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count
BY SubjectUserName
| eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev
| eval limit = round((average+(standarddev*3)),0), user = SubjectUserName
| where ObjectName_count > limit
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ad_abnormal_object_access_activity_filter`