Windows AD Abnormal Object Access Activity

name: Windows AD Abnormal Object Access Activity
id: 71b289db-5f2c-4c43-8256-8bf26ae7324a
version: 8
date: '2026-03-10'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
data_source:
    - Windows Event Log Security 4662
search: |-
    `wineventlog_security` EventCode=4662
      | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count
        BY SubjectUserName
      | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev
      | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName
      | where ObjectName_count > limit
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_ad_abnormal_object_access_activity_filter`
how_to_implement: Enable Audit Directory Service Access via GPO and collect event code 4662. The required SACLs need to be created for the relevant objects. Be aware Splunk filters this event by default on the Windows TA. Recommend pre-filtering any known service accounts that frequently query AD to make detection more accurate. Setting wide search window of 48~72hr may smooth out misfires.
known_false_positives: Service accounts or applications that routinely query Active Directory for information.
references:
    - https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
    - https://attack.mitre.org/tactics/TA0007/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Discovery
        - BlackSuit Ransomware
    asset_type: Endpoint
    mitre_attack_id:
        - T1087.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/4662_ad_enum/4662_priv_events.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog