Windows 安全审计日志 — 用户账户变更 userAccessControl

Wazuh Archive 日志延后创建约 10h。搜不到优先查看 Alert。

规则

垃圾 Wazuh! 写规则的人不看微软的官方 Security Monitoring Recommendations 的吗？瞎检测!

涉及的日志 ID

主要为 4720,4722,4738,4781,4725,4726

设置项为审计策略的审计账户管理行为。官方文档的描述为：https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management

日志分析

主要分析 PasswordLastSet 和 oldUACValue, newUACValue 和 UserAccessControl attribute 字段。

UserAccessControl attribute: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

Detailed UserAccessControl Change Table: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Privileges Table: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

EventLog Reference

• 4738: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
• 4740: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
• Extract Error Messages From DLL: https://gist.github.com/kmahyyg/a2006f7bc4542cbaf4f120c3dc7a3963
• Extracted Messages from msobjs.dll: https://gist.github.com/kmahyyg/cc2edbba914025bd6449391678523bd0
• 4769: Kerberos Ticket Request, Failure Code: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769