Home
SIEM use cases
Short-lived user accounts

How to detect short-lived user accounts

In this page

Problem statement:

User accounts are typically created for long-term use and specific purposes. The rapid creation and deletion of accounts within a short timeframe raises serious security concerns. These short-lived accounts can be used by attackers to:

Conceal malicious activities: Attackers might create and quickly delete accounts to cover their tracks, making forensic investigations difficult.
Execute undetected attacks: They can perform malicious activities within a brief window, leaving minimal evidence behind.
Bypass security controls: Traditional monitoring might miss these fleeting accounts, allowing attackers to operate undetected.

Scenario:

An attacker gains initial access, creates a temporary administrator account, escalates privileges, exfiltrates sensitive data, and then deletes the account, all within minutes.

Data source:

Windows: Command, File, Process, Command

Relevant MITRE ATT&CK tactics and techniques:

Tactics: TA0003 - Persistence, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0007 - Discovery

Techniques: T1078 - Valid Accounts, T1098 - Account Manipulation, T1136 - Create Account, T1003 - OS Credential Dumping

Solution:

Detecting short-lived user accounts requires vigilant monitoring of account creation and deletion events within your environment.

How to detect:

Event log monitoring: Configure your systems to log account creation events (e.g., Event ID 4720 in Windows Active Directory) and account deletion events (e.g., Event ID 4726 in Windows Active Directory). Implement a system to collect and analyze these logs.
Correlation analysis: Establish rules to correlate account creation events with subsequent deletion events occurring within a short, defined timeframe.This timeframe should be customizable to fit your organization's specific needs.
Alerting mechanism: Set up alerts to notify security personnel when a correlated account creation and deletion event occurs within the defined timeframe.This allows for rapid response and investigation.
Reporting and dashboards: Create reports or dashboards that provide a centralized view of account creation and deletion activity, highlighting potential short-lived accounts.

How to in Log360

Prerequisites:

Enable audit logging for user account changes.

Next steps:

Set up custom alert rules in Log360 to detect suspicious account creation and deletion patterns.
Review user activity reports to spot anomalies.
Automate incident response workflows for quick remediation.

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

Editor's choice

7th time in the MQ in 2024

Major player in 2024

Integrated cloud security Innovator

Technical excellence in SIEM

Market leader most innovative

Resource Library

Expert Talks

SIEM basics

Attack library

Cloud Security

Academy

Documentation

Integrations