Monitoring Windows Administrator account login on pc

[Matteo Torta]

Hi all, I need to make the system notify me when an administrator type windows user logs in to the machine. I only need that report because I have the forwarding via e-mail. Can anyone help me?

Thank you.

[Jose Camargo]

Hi, thank you for using Wazuh!

To accomplish this, you have to identify the rule that triggers when any successful login happens, in this case, rule ID 60106. Now, once this rule is triggered, you get the user information in the field called win.eventdata.targetUserName

With this, you can create a new rule that tries to match that userName with your admin users so you know when any admin logs in to that computer.

Windows Event ID 4624 fields information: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Now, you will have to create a list of all of your admin users, as Windows does not bring the user's group information. To do this, you will have to create a CDB list with the names of your admin users and save it to your manager's /var/ossec/etc/lists.

Then, you'll have to create a custom rule to get that information. In this case, you can do as follows:

<rule id="100010" level="12">
  <if_sid>60106</if_sid>

 <list field=" win.eventdata.targetUserName  " lookup="match_key">etc/lists/admin-user-list</list>
  <description>Admin user logged into $(win.system.computer)</description>

</rule>

This rule will only alert you when any user that is present on the list logs-in.

Please let me know if there's anything else I can help you with.

Regards,

Jose Camargo

[Operation Consultant]

Hi All,

follow the step but not able to get the notification with rule level 12

root@server01:/var/ossec# cat /var/ossec/etc/lists/admin-user-list
user01
root
root@server01:/var/ossec# cat /var/ossec/etc/rules/local_rules.xml
<!--
  New line aded below for 'User01 and root01' login info
  -->

    </rule>

   <rule id="100010" level="12">
  <if_sid>60106</if_sid>
  <list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/admin-user-list</list>
  <description>Admin user logged into $(win.system.computer)</description>
</rule>

##output :  /var/ossec/bin/wazuh-logtest
** Wazuh-Logtest: WARNING: (7616): List 'etc/lists/admin-user-list' could not be loaded. Rule '100010' will be ignored.
##
cat custom_local_rules.xml
<group name="C_local">

<rule id="100010" level="12">
  <if_sid>60106</if_sid>
 <list field=" win.eventdata.targetUserName  " lookup="match_key">etc/lists/admin-user-list</list>

  <description>SPTLAdminLocal user logged into $(win.system.computer)</description>
</rule>
</group>

####

[Operation Consultant]

Hi All, 

Any input on  above shared input. 

Regards,

[Operation Consultant]

Hello WazuH Team,

could you assist us on shared query. 

Need notification, when local user login into server. 

BR,

[Kara Tanaka]

hello - i'm trying to do this as well, do i need to make a decoder for this?