Windows group modification (add/delete user) logs
278 views
Skip to first unread message
HA
Aug 5, 2022, 6:53:29 AM8/5/22
to Wazuh mailing list
Hello,
I configured Wazuh to get alert about Windows group Modification (adding/deleting members).
Rules are fired correctly BUT I can only see Windows SID (S-1-xxx) in the logs and not the username.
It's not very user friendly...
How can I get the username or samaccountname ??
Regards,
HA
Tom Powers
Aug 5, 2022, 8:28:39 AM8/5/22
to Wazuh mailing list
Which events are you tracking? For example Group changes with Event 4727, 4737,4730 for GLobal group changes show TargetUsername and SubjectUserName as fields for the group that changed and who changed it
HA
Aug 8, 2022, 4:54:29 AM8/8/22
to Wazuh mailing list
Hi,
First, thanks a lot your help...
When creating global security group on a DC, I get details informations (Username added, removed, etc).
But if I add/remove user on a locally on the PC (Local Security Group), I don't have detailed info...
Even ID are 4732 and 4735...
Regards,
HA
Jonathan José Levy Gil
Aug 18, 2022, 6:22:37 AM8/18/22
to Wazuh mailing list
Hi,
Let me try to help here,
Wazuh will collect this particular event from Windows "Security" channel, this is an Audit event, by default it is likely Audit Local Policies are disabled, you have to go to "Local Security Policy"
in your Windows system and enable the type of events you need to register (I'm attaching a picture for reference)
Wazuh has a set of Windows Security Rules that covers your scenario (0580-win-security_rules.xml)
The specific rule you are looking for is this one:
in your Windows system and enable the type of events you need to register (I'm attaching a picture for reference)
Wazuh has a set of Windows Security Rules that covers your scenario (0580-win-security_rules.xml)
The specific rule you are looking for is this one:
<rule id="60113" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|^665$|^4761$|^666$|^4762$</field>
<options>no_full_log</options>
<description>Group account changed.</description>
<mitre>
<id>T1484</id>
</mitre> <group>gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,group_changed,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,win_group_changed,</group>
</rule>
<if_sid>60103</if_sid>
<field name="win.system.eventID">^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|^665$|^4761$|^666$|^4762$</field>
<options>no_full_log</options>
<description>Group account changed.</description>
<mitre>
<id>T1484</id>
</mitre> <group>gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,group_changed,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,win_group_changed,</group>
</rule>
As you can see, events 4732 and 4735 are included to match within the field name, the rule is triggered after matching rule 60103 that captures AUDIT_SUCCESS events:
<rule id="60103" level="0">
<if_sid>60001</if_sid>
<field name="win.system.severityValue">^AUDIT_SUCCESS$|^success$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
Also, it is important to check first if Wazuh Agent is collecting those events ID by checking they are not excluded inside the <localfile> setting in the configuration file, specifically under the "security" channel, go to your agent's "ossec.conf" file:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4658 and EventID != 4660 and EventID != 4670 and EventID != 4690 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and EventID != 4738 and EventID != 4728 and
EventID != 4733 and EventID != 4729]</query>
</localfile>
The events above are going to be excluded by the agent unless you remove the tag EventID != xxxx.
Alternatively, you can also customize the rules using the original ones as a baseline, for example, to customize whenever an account is created working specifically with event ID 4720, you could do something like:
<!-- BEGIN Windows Audit Rules - Account Management -->
<group name="windows, windows_auditing,">
<rule id="115000" level="0">
<if_sid>60109</if_sid>
<options>no_full_log</options>
<description>User account enabled or created.</description>
<mitre>
<id>T1098</id>
</mitre>
<group>account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="115001" level="7">
<if_sid>115000</if_sid>
<field name="win.system.eventID">^4720$</field>
<options>no_full_log</options>
<description>Security Auditing: A user account was created.</description>
<mitre>
<id>T1098</id>
</mitre>
<group>account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- END Windows Audit Rules - Account Management -->
<if_sid>60001</if_sid>
<field name="win.system.severityValue">^AUDIT_SUCCESS$|^success$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
Also, it is important to check first if Wazuh Agent is collecting those events ID by checking they are not excluded inside the <localfile> setting in the configuration file, specifically under the "security" channel, go to your agent's "ossec.conf" file:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4658 and EventID != 4660 and EventID != 4670 and EventID != 4690 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157 and EventID != 4738 and EventID != 4728 and
EventID != 4733 and EventID != 4729]</query>
</localfile>
The events above are going to be excluded by the agent unless you remove the tag EventID != xxxx.
Alternatively, you can also customize the rules using the original ones as a baseline, for example, to customize whenever an account is created working specifically with event ID 4720, you could do something like:
<!-- BEGIN Windows Audit Rules - Account Management -->
<group name="windows, windows_auditing,">
<rule id="115000" level="0">
<if_sid>60109</if_sid>
<options>no_full_log</options>
<description>User account enabled or created.</description>
<mitre>
<id>T1098</id>
</mitre>
<group>account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="115001" level="7">
<if_sid>115000</if_sid>
<field name="win.system.eventID">^4720$</field>
<options>no_full_log</options>
<description>Security Auditing: A user account was created.</description>
<mitre>
<id>T1098</id>
</mitre>
<group>account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- END Windows Audit Rules - Account Management -->
I hope this helps,
Regards
Reply all
Reply to author
Forward
0 new messages