Changes to Windows User Groups by Account -

This splunk query will return changes to any group in a windows environment.

You MUST have the Splunk App for Windows Infrastructure app installed located here: https://apps.splunk.com/app/1680/

Windows Server 2003 and older:

sourcetype=WinEventLog:Security (EventCode=636 OR EventCode=632 OR EventCode=650 OR EventCode=655 OR EventCode=660 OR EventCode=665) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, host, Type

Windows Server 2008 and newer:

sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4732 OR EventCode=4746 OR EventCode=4751 OR EventCode=4756 OR EventCode=4161 OR EventCode=4185) | eval Date=strftime(_time, "%Y/%m/%d") |rex "Member:\s+\w+\s\w+:.*\\\(?<TargetAccount>.*)" | rex "Account\sName:\s+(?<SourceAccount>.*)" | stats count by Date, TargetAccount, SourceAccount, Group_Name, host, Keywords | sort - Date | rename SourceAccount as "Administrator Account" | rename TargetAccount as "Target Account"

Splunk Query Repository

Changes to Windows User Groups by Account

Related Queries

DLL Serach Oreder Hijacking (mitre : T1574.001)

Search for disabled AD accounts that have been re-enabled

Zerologon Detection (CVE-2020-1472)