Windows Increase in Group or Object Modification Activity

name: Windows Increase in Group or Object Modification Activity
id: 4f9564dd-a204-4f22-b375-4dfca3a68731
version: 10
creation_date: '2024-07-01'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.
data_source:
    - Windows Event Log Security 4663
search: |-
    `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764)
      | bucket span=5m _time
      | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category
        BY _time, src_user, signature,
           status
      | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std
        BY src_user, signature
      | eval upperBound=(comp_avg+comp_std)
      | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0)
      | search isOutlier=1
      | `windows_increase_in_group_or_object_modification_activity_filter`
how_to_implement: Run this detection looking over a 7 day timeframe for best results.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for - "$src_user$"
      search: '%original_detection_search% | search  src_user = "$src_user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Spike in Group or Object Modifications performed by $src_user$
    entity:
        field: src_user
        type: user
        score: 50
analytic_story:
    - Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
    - T1098
    - T1685
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: audit
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit