There are two important user account management audit events generated for the following cases
- The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
- The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
- Changes are made to domain policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy or Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
The volume of this event being generated is low. And by default this events are not configured to be logged by Microsoft. However, if this policy setting is configured following are the lists of event that gets generated
eventId description
4782 The password hash for an account was accessed.
4793 The Password Policy Checking API was called.
How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4782, 4793]
What fields to monitor?
timestamp, who performed, operationType
Nice Post Please Keep Posting Like This On Regular Basis. Here are some use full links.
ReplyDeleteAmazon Great Indian Sale Offers On Smartphones
Flipkart Big Billion Days Sale Offers On Smartphones