AD query for user creation and deletion in short period of time

Follow
Avatar
Alex Norman

Hi,

I'm trying to write a query that will detect (and eventually alert) when a user account has been quickly created and deleted on our AD domain. I'm guessing that this will have something to do with the count_distinct based on the AD multiple IP example elsewhere on the forums. Or maybe I'll need a subquery to merge the results?

So far I have a query to grab both the account creation and deletion events, but need to have results show usernames that have both.

_sourceCategory=windows (4726 OR 4720)
| parse regex "Computer = \"(?<computer_name>.*?)\";"
| parse regex "EventCode = (?<event_id>.*?);"
| parse regex "Message = \"(?<event_message>.*?[^\r]+)"
| parse regex "Subject:[\s\S]+?Account\sName:\t+(?<who_did_this>[^\r]+)"
| parse regex "Target\sAccount:[\s\S]+?Account\sName:\t+(?<account_username>[^\r]+)" nodrop
| parse regex "Target\sAccount:[\s\S]+?Account\sDomain:\t+(?<account_domain>[^\r]+)" nodrop
| parse regex "New\sAccount:[\s\S]+?Account\sName:\t+(?<account_username>[^\r]+)" nodrop
| parse regex "New\sAccount:[\s\S]+?Account\sDomain:\t+(?<account_domain>[^\r]+)" nodrop
| where event_id = 4726 OR event_id = 4720

Cheers

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Rick Jury

    would it help to try something like this approach?

    | if (event_message = "A user account was created.",1,0) as created
    | if (event_message = "A user account was deleted.",1,0) as deleted
    | sort _messagetime asc
    |first(event_id) as first_id,last(event_id) as last_id,min(_messagetime) as earliest,max(_messagetime) as latest,count as events, sum(created) as created,sum(deleted) as deleted by account_username,,account_domain
    | round((latest - earliest )) / 1000 as time_s

    // now we have a table of stuff with durations
    // we can just use where to test scenarios. You might want to use some of these in separately in different queries
    | where created> 0 and deleted > 0 // filter for both events present
    | where time_s < 60 // where duration is < some number
    | where events > 2 // users created or deleted more than one time

     

     

    btw this is the parsing query I used to test out your scenario:

    (4726 OR 4720)
    | parse regex "EventCode = (?<event_id>\d+?);" nodrop
    | where event_id = 4726 OR event_id = 4720
    | parse regex "Account Name:\s+(?<src_user>[^\r\n]+)" nodrop
    | parse regex "Account Domain:\s+(?<src_domain>[^\r\n]+)" nodrop
    | parse regex "Security ID:\s+(?<sid>[^\r\n]+)" nodrop
    | parse regex "Message = \"(?<event_message>[^\r\n]+)" nodrop

    0
    Comment actions Permalink
  • Avatar
    Alex Norman

    That works perfectly Rick, thanks! 

    Here's the full query I ended up using, mostly based on your work.

    _sourceCategory=windows (4726 OR 4720)
    | parse regex "Computer = \"(?<computer_name>.*?)\";"
    | parse regex "EventCode = (?<event_id>.*?);"
    | where event_id = 4726 OR event_id = 4720
    | parse regex "Message = \"(?<event_message>.*?[^\r]+)"
    | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<who_did_this>[^\r]+)"
    | parse regex "Target\sAccount:[\s\S]+?Security\sID:\t+(?<account_sid>[^\r]+)" nodrop
    | parse regex "Target\sAccount:[\s\S]+?Account\sName:\t+(?<account_username>[^\r]+)" nodrop
    | parse regex "Target\sAccount:[\s\S]+?Account\sDomain:\t+(?<account_domain>[^\r]+)" nodrop
    | parse regex "New\sAccount:[\s\S]+?Security\sID:\t+(?<account_sid>[^\r]+)" nodrop
    | parse regex "New\sAccount:[\s\S]+?Account\sName:\t+(?<account_username>[^\r]+)" nodrop
    | parse regex "New\sAccount:[\s\S]+?Account\sDomain:\t+(?<account_domain>[^\r]+)" nodrop
    | if (event_message = "A user account was created.",1,0) as created
    | if (event_message = "A user account was deleted.",1,0) as deleted
    | sort _messagetime asc
    | first(event_id) as first_id,last(event_id) as last_id,min(_messagetime) as earliest,max(_messagetime) as latest,count as events, sum(created) as created,sum(deleted) as deleted by account_username,account_domain,who_did_this
    | round((latest - earliest )) / 1000 as time_s
    // now we have a table of stuff with durations
    // we can just use where to test scenarios. You might want to use some of these in separately in different queries
    | where created> 0 and deleted > 0 // filter for both events present
    | where time_s < 3600 // where duration is < some number, 3600 is 1 hour
    | where events > 1 // users created or deleted more than one time
    | fields account_username,account_domain,who_did_this,events,created,deleted

    0
    Comment actions Permalink
  • Avatar
    Rick Jury

    great to hear it works!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post