Windows Server Privileged User Logon Report

347 views
Skip to first unread message

Martin Gluckman

unread,
Aug 10, 2022, 11:00:13 AM8/10/22
to Wazuh mailing list
Dear All,

What is the best way to filter out all Windows Server Privileged User Logons.

Windows Event 4672 seems to be good otherwise 4624 has all user logons and would need to apply some filters, I looked into the values in:

data.win.eventdata.impersonationLevel

and

data.win.eventdata.elevatedToken

But they seem not to be useful, is something not configured right here as I thought they would indicate somehow if the user is privileged?

Any help much appreciated!

Martin
impersonation_level.png
elevated_token.png

Martin Gluckman

unread,
Aug 10, 2022, 1:00:19 PM8/10/22
to Wazuh mailing list
Ok the Elevated Token data is only there from Windows Server 2016 onwards so our 2012 servers don't have this to use. I think we need to use Event 4672 to do this ? Anyone have ideas ?

Pedro Nicolás Gomez

unread,
Aug 10, 2022, 4:48:18 PM8/10/22
to Wazuh mailing list

Hi Martin,

Using event 4672 I don't know if it is the best option, but I do think it is a good option.

According to Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672

Event Description:

This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:

  • SeTcbPrivilege - Act as part of the operating system

  • SeBackupPrivilege - Back up files and directories

  • SeCreateTokenPrivilege - Create a token object

  • SeDebugPrivilege - Debug programs

  • SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation

  • SeAuditPrivilege - Generate security audits

  • SeImpersonatePrivilege - Impersonate a client after authentication

  • SeLoadDriverPrivilege - Load and unload device drivers

  • SeSecurityPrivilege - Manage auditing and security log

  • SeSystemEnvironmentPrivilege - Modify firmware environment values

  • SeAssignPrimaryTokenPrivilege - Replace a process-level token

  • SeRestorePrivilege - Restore files and directories,

  • SeTakeOwnershipPrivilege - Take ownership of files or other objects


An example event:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=dane
TaskCategory=Special Logon
OpCode=Info
RecordNumber=17946067
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
         Security ID:
         Account Name: name
         Account Domain:
         Logon ID: 0x5623BE0
Privileges: SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege
            SeDelegateSessionUserImpersonatePrivilege
Reply all
Reply to author
Forward
0 new messages