Spike in Active Directory User Modification Activity

This analytic detects anomalous increases in modifications to Active Directory (AD) user objects. A sudden surge in user account changes can signal malicious activities, such as attackers attempting to gain unauthorized access, disable security controls, or establish persistent access to the network. The detection focuses on identifying unusual patterns in AD logs, which helps to identify suspicious behavior that may lead to the compromise of the AD environment. The detection uses Windows Event Logs with Event Codes related to user modification, specifically events 4720, 4722, 4723, 4724, 4725, 4726, 4728, 4732, 4733, 4738, 4743, and 4780. This alert is designed to detect statistically significant deviations from baseline user modification activity.

Attack Chain

1. An attacker compromises a user account with sufficient privileges to modify other user accounts.
2. The attacker leverages the compromised account to modify attributes of other user accounts within the Active Directory.
3. The attacker may attempt to reset passwords (Event ID 4723), add accounts to privileged groups (Event ID 4728, 4732), or modify account settings (Event ID 4738).
4. These changes are made to escalate privileges, create backdoor accounts, or disable security features.
5. The attacker modifies the description field or other non-essential attributes of user accounts to avoid detection.
6. The attacker attempts to enable disabled accounts (Event ID 4722) to regain access.
7. The adversary uses the modified accounts to move laterally within the network, accessing sensitive data or systems.
8. The attacker establishes persistence by creating or modifying accounts to ensure continued access to the environment.

Impact

A successful attack resulting in escalated privileges and unauthorized access can lead to data breaches, system compromise, and significant operational disruption. The modifications to user accounts can be used to impair defenses, deploy malware, and exfiltrate sensitive information. The number of affected user accounts can vary greatly, depending on the scope of the attacker’s activity.

Recommendation

• Deploy the provided Splunk search query to identify spikes in user modification activity and tune the threshold (userCount > 10) and standard deviation multiplier based on your environment.
• Investigate any alerts generated by the Splunk search query, focusing on the src_user and the types of modifications made to the TargetDomainName and user objects.
• Monitor Windows Event Log Security events 4720, 4722, 4723, 4724, 4725, 4726, 4728, 4732, 4733, 4738, 4743, and 4780 for unusual patterns of user modification.