Windows Increase in Group or Object Modification Activity

name: Windows Increase in Group or Object Modification Activity
id: 4f9564dd-a204-4f22-b375-4dfca3a68731
version: 7
date: '2026-03-10'
author: Dean Luxton
status: production
type: TTP
data_source:
    - Windows Event Log Security 4663
description: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.
search: |-
    `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764)
      | bucket span=5m _time
      | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category
        BY _time, src_user, signature,
           status
      | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std
        BY src_user, signature
      | eval upperBound=(comp_avg+comp_std)
      | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0)
      | search isOutlier=1
      | `windows_increase_in_group_or_object_modification_activity_filter`
how_to_implement: Run this detection looking over a 7 day timeframe for best results.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for - "$src_user$"
      search: '%original_detection_search% | search  src_user = "$src_user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Spike in Group or Object Modifications performed by $src_user$
    risk_objects:
        - field: src_user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Sneaky Active Directory Persistence Tricks
    asset_type: Endpoint
    mitre_attack_id:
        - T1098
        - T1562
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: audit
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog