Windows 安全审计日志 — 用户账户变更 userAccessControl

May 21, 2023

--

Wazuh Archive 日志延后创建约 10h。搜不到优先查看 Alert。

规则

垃圾 Wazuh! 写规则的人不看微软的官方 Security Monitoring Recommendations 的吗？瞎检测!

涉及的日志 ID

主要为 4720,4722,4738,4781,4725,4726

设置项为审计策略的审计账户管理行为。官方文档的描述为：https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management

日志分析

主要分析 PasswordLastSet 和 oldUACValue, newUACValue 和 UserAccessControl attribute 字段。

UserAccessControl attribute: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

Detailed UserAccessControl Change Table: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Privileges Table: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

EventLog Reference

4738: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
4740: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
Extract Error Messages From DLL: https://gist.github.com/kmahyyg/a2006f7bc4542cbaf4f120c3dc7a3963
Extracted Messages from msobjs.dll: https://gist.github.com/kmahyyg/cc2edbba914025bd6449391678523bd0
4769: Kerberos Ticket Request, Failure Code: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Written by Patrick Young

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams