Keeping tabs on where privileged accounts are being used and spotting anomalies is a key threat hunting activity. This is especially true because of the many ways attackers have figured out to harvest privileged account credentials.
But with all the users and endpoints on your network – not to mention the quantity of logon events – how do you know when logon sessions are privileged?
The good news is that Windows provides event ID 4672 which is logged whenever an account logs on that holds any user rights in Windows designated as admin-equivalent. Here’s an example event:
4672 - Special privileges assigned to new logon.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x4b842
Privileges:
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event ID 4672 provides the user who logged on, the ID of the logon session, the name of the computer and the user rights (aka Privileges) the user held at the time of logon. Administrative (privileged) users will always have one or more of the rights and thus trigger this event when they logon.
One key thing is the type of logon session and the name or IP address of the client endpoint if the logon is remote. I’ll show you how to correlate 4672 to 4624 by logon session in order to figure this out.
But beyond just concentrating on the nitty gritty details of event IDs, I’m going to make this webinar about the overall method for monitoring privileged access and hunting for suspicious logon sessions.
So, we will look at how to sift through the deluge of 4672s any network generates and zero in on the ones that are interesting. For instance, we’ll look at plotting privileged account logons by user and endpoint with visualizations that don’t just show high volume entities but – perhaps more important – new and/or low frequency scenarios.
This kind of analysis requires more than just Event Viewer so I’ll be using LogRhythm's web console to run these searches, visualizations and drill downs.
We’ll show you how to start with 4762, identify a user or computer to investigate and then how to assess which programs that user ran on that system, where they logged on from, what type of logon session was used and more.
But what about accounts that are privileged but do not trigger 4672? This is possible for instance with accounts that have been delegated powerful Full Control of a given organizational unit in AD or a folder on a server. These accounts may not hold an “admin-equivalent” user right on the system and thus not trigger 4672. But there’s still options available depending on how you run your environment.
Please join me for this deeply technical real training for free event on the Windows Security Log.