39 строки
1.6 KiB
YAML
39 строки
1.6 KiB
YAML
id: 6135a90e-ba30-4f36-9b6a-3a350050704b
|
|
name: Long lookback User Account Created and Deleted within 10mins
|
|
description: |
|
|
'User account created and then deleted within 10 minutes across last 14 days'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Persistence
|
|
- PrivilegeEscalation
|
|
relevantTechniques:
|
|
- T1098
|
|
- T1078
|
|
query: |
|
|
|
|
// TimeDelta is the difference between when the account was created and when it was deleted, default is set to 10min or less
|
|
let timedelta = 10m;
|
|
SecurityEvent
|
|
// A user account was created
|
|
| where EventID == "4720"
|
|
| where AccountType == "User"
|
|
| project creationTime = TimeGenerated, CreateEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName,
|
|
AccountUsedToCreate = SubjectUserName, TargetSid, SubjectUserSid
|
|
| join kind= inner (
|
|
SecurityEvent
|
|
// A user account was deleted
|
|
| where EventID == "4726"
|
|
| where AccountType == "User"
|
|
| project deletionTime = TimeGenerated, DeleteEventID = EventID, Activity, Computer, TargetUserName, UserPrincipalName,
|
|
AccountUsedToDelete = SubjectUserName, TargetSid, SubjectUserSid
|
|
) on Computer, TargetUserName
|
|
| where deletionTime - creationTime < timedelta
|
|
| extend TimeDelta = deletionTime - creationTime
|
|
| where tolong(TimeDelta) >= 0
|
|
| project TimeDelta, creationTime, CreateEventID, Computer, TargetUserName, UserPrincipalName, AccountUsedToCreate,
|
|
deletionTime, DeleteEventID, AccountUsedToDelete
|
|
| extend timestamp = creationTime, HostCustomEntity = Computer, AccountCustomEntity = UserPrincipalName
|
|
|