Tracking group and local user ID addition and removal in Windows local admin group

1,455 views
Skip to first unread message

Soumitri

unread,
Nov 20, 2017, 10:55:09 PM11/20/17
to Wazuh mailing list
Hi,

 I am new to Wazuh. I would like to know if Wazuh can help in monitoring and alert changes to local administrator group on Windows Servers.

For example when someone adds/removes groups or local user IDs from the local admin group. 

Thanks.

Victor Fernandez

unread,
Nov 21, 2017, 1:25:35 AM11/21/17
to Soumitri, Wazuh mailing list
Hi Soumitri,

yes, you can do that. When you configure a new event to be monitored as an alert in Wazuh, you have to do two things:
  1. Configure agents to collect the desired data.
  2. Set up a rule in the manager to produce an alert when the collected data matches some conditions.
In this case, both Wazuh agent and manager are configured by default to monitor when a user is added to the administrator group (and removed from it).

Here are some Windows event IDs:
  • Event 4720: A user account was created.
  • Event 4726: A user account was deleted.
  • Event 4732: A member was added to a security-enabled local group.
  • Event 4733: A member was removed from a security-enabled local group.
The default Wazuh ruleset has also got the proper rules to catch these events.

Here is an example of two rules produced when a user with name "Joe" is added to the system as administrator:

** Alert 1511244239.77020: - windows,adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,
2017 Nov 20 22:03:59 (windows) any->WinEvtLog
Rule: 18110 (level 8) -> 'Windows: User account enabled or created.'
User: (no user)
2017 Nov 20 22:03:56 WinEvtLog: Security: AUDIT_SUCCESS(4720): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-2JIH7DS7L6N: A user account was created.    Subject:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-500   Account Name:  Administrator   Account Domain:  WIN-2JIH7DS7L6N   Logon ID:  0x82ca8    New Account:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-1002   Account Name:  Joe   Account Domain:  WIN-2JIH7DS7L6N    Attributes:   SAM Account Name: Joe   Display Name:  <value not set>   User Principal Name: -   Home Directory:  <value not set>   Home Drive:  <value not set>   Script Path:  <value not set>   Profile Path:  <value not set>   User Workstations: <value not set>   Password Last Set: <never>   Account Expires:  <never>   Primary Group ID: 513   Allowed To Delegate To: -   Old UAC Value:  0x0   New UAC Value:  0x15   User Account Control:     Account Disabled    'Password Not Required' - Enabled    'Normal Account' - Enabled   User Parameters: <value not set>   SID History:  -   Logon Hours:  All    Additional Information:   Privileges -
type: Security
subject.security_id: S-1-5-21-2852676802-2078054249-2436403069-500
subject.account_name: Administrator
subject.account_domain: WIN-2JIH7DS7L6N
subject.logon_id: 0x82ca8
security_id: S-1-5-21-2852676802-2078054249-2436403069-1002
account_name: Joe
account_domain: WIN-2JIH7DS7L6N

** Alert 1511244239.82366: mail  - windows,group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,
2017 Nov 20 22:03:59 (windows) any->WinEvtLog
Rule: 18217 (level 12) -> 'Windows: Administrators Group Changed'
User: (no user)
2017 Nov 20 22:03:56 WinEvtLog: Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-2JIH7DS7L6N: A member was added to a security-enabled local group.    Subject:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-500   Account Name:  Administrator   Account Domain:  WIN-2JIH7DS7L6N   Logon ID:  0x82ca8    Member:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-1002   Account Name:  -    Group:   Security ID:  S-1-5-32-544   Group Name:  Administrators   Group Domain:  Builtin    Additional Information:   Privileges:  -
type: Security
subject.security_id: S-1-5-21-2852676802-2078054249-2436403069-500
subject.account_name: Administrator
subject.account_domain: WIN-2JIH7DS7L6N
subject.logon_id: 0x82ca8
security_id: S-1-5-21-2852676802-2078054249-2436403069-1002
account_domain: WIN-2JIH7DS7L6N

The event does not report the username but it does give the user's security ID, that lets you get the username from the previous alert.

In the case of a deleted user, those alerts would appear:

** Alert 1511244669.92222: mail  - windows,group_changed,win_group_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,
2017 Nov 20 22:11:09 (windows) any->WinEvtLog
Rule: 18217 (level 12) -> 'Windows: Administrators Group Changed'
User: (no user)
2017 Nov 20 22:11:07 WinEvtLog: Security: AUDIT_SUCCESS(4733): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-2JIH7DS7L6N: A member was removed from a security-enabled local group.    Subject:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-500   Account Name:  Administrator   Account Domain:  WIN-2JIH7DS7L6N   Logon ID:  0x82ca8    Member:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-1002   Account Name:  -    Group:   Security ID:  S-1-5-32-544   Group Name:  Administrators   Group Domain:  Builtin    Additional Information:   Privileges:  -
type: Security
subject.security_id: S-1-5-21-2852676802-2078054249-2436403069-500
subject.account_name: Administrator
subject.account_domain: WIN-2JIH7DS7L6N
subject.logon_id: 0x82ca8
security_id: S-1-5-21-2852676802-2078054249-2436403069-1002
account_domain: WIN-2JIH7DS7L6N

** Alert 1511244669.95592: - windows,adduser,account_changed,pci_dss_8.1.2,pci_dss_10.2.5,gpg13_7.10,
2017 Nov 20 22:11:09 (windows) any->WinEvtLog
Rule: 18112 (level 8) -> 'Windows: User account disabled or deleted.'
User: (no user)
2017 Nov 20 22:11:07 WinEvtLog: Security: AUDIT_SUCCESS(4726): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-2JIH7DS7L6N: A user account was deleted.    Subject:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-500   Account Name:  Administrator   Account Domain:  WIN-2JIH7DS7L6N   Logon ID:  0x82ca8    Target Account:   Security ID:  S-1-5-21-2852676802-2078054249-2436403069-1002   Account Name:  Joe   Account Domain:  WIN-2JIH7DS7L6N    Additional Information:   Privileges -
type: Security
subject.security_id: S-1-5-21-2852676802-2078054249-2436403069-500
subject.account_name: Administrator
subject.account_domain: WIN-2JIH7DS7L6N
subject.logon_id: 0x82ca8
security_id: S-1-5-21-2852676802-2078054249-2436403069-1002
account_name: Joe
account_domain: WIN-2JIH7DS7L6N

As said before, there is no need of additional configuration to get these alerts, you only need to install a manager in a UNIX system (we recommend Linux), an agent on the Windows host (or one agent on each host you want to monitor) and connect them. Maybe this documentation section helps you: https://documentation.wazuh.com/current/user-manual/registering.

Hope it help.

Best regards.

Victor.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/406cc093-5d1d-4ac0-a132-1e5f62f274d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

Soumitri

unread,
Nov 21, 2017, 5:24:32 AM11/21/17
to Wazuh mailing list
Thank you so much for the help, Victor

Appreciate it!
Reply all
Reply to author
Forward
0 new messages