ETW - Users and security groups operations

Channel: Security.
Events: 4720, 4722, 4723, 4724, 4731, 4732, 4733, 4738.

User operations Windows events

Channel	Conditions	Events
`Security`	Default configuration.	Event `4720: A user account was created`. Logged whenever a local account is created. Information of interest: - Domain, username, and `Logon ID` of the account that created the user. - Domain, `SamAccountName`, `SID`, `UserPrincipalName`, `PrimaryGroupId`, and other user object properties of the created user. Legacy: Event `624: User Account Created`.
`Security`	Default configuration.	Event `4722: A user account enabled`. Always logged after an event `4720`. Information of interest: - Domain, username, and `Logon ID` of the account that created the user. - Domain, `SamAccountName`, and `SID` of the created user. Legacy: Event `626: User Account Enabled`.
`Security`	Default configuration for success. Failures logged only if `Audit User Account Management` is set to `(Success), Failure`.	Event `4723: An attempt was made to change an account's password`. Logged as a success (`Audit Success`) if the user did change the target user password (which requires to enter the target user current password). Otherwise reported as a failure (`Audit Failure`) if failures are logged and an error occurred (wrong current password given, new password fails to meet the password policy, etc.). Information of interest: - Domain, username and `Logon ID` of the user that performed the password change. - Domain, username, and `SID` of the target user whose password was changed. Legacy: Event `627: Change Password Attempt`.
`Security`	Default configuration for success. Failures logged only if `Audit User Account Management` is set to `(Success), Failure`.	Event `4724: An attempt was made to reset an accounts password`. Logged as a success (`Audit Success`) if the user did reset the target user password (which requires elevated rights for local accounts). Otherwise reported as a failure (`Audit Failure`) if failures are logged and the new password failed to meet the password policy. A Failure event is NOT generated if the user gets an `Access Denied` error while attempting the password reset. Information of interest: - Domain, username, and `Logon ID` of the user that performed the password change. - Domain, username, and `SID` of the target user whose password was reset. Legacy: Event `628: User Account password set`.
`Security`	Default configuration.	Event `4738: A user account was changed`. Logged whenever a user object attribute is modified. For each change, a separate `4738` event will be generated. Only a subset of attributes are displayed / logged in the event. If a change is made to an attribute that is not listed in the event, an event `4738` will be generated with all listed field set to `-`. The `security descriptor`, and thus the `Discretionary Access Control List` (`DACL`), of a user is not listed in the `4738` event. An update to an account’s `DACL` will thus generate an event `4738` with all listed attributes set to `-`, making it impossible to detect the `DACL` update through this event alone. In case of a password change, the timestamp update of the `PasswordLastSet` field will be logged in the event. Information of interest: - Domain, username, and `Logon ID` of the user that performed the property change. - Domain, username, and `SID` of the target user whose attribute was updated. Legacy: Event `642: User Account Changed`.

Security group operations Windows events

Channel	Conditions	Events
`Security`	Default configuration.	Event `4731: A security-enabled local group was created`. Logged whenever a new security local group is created. Information of interest: - Domain, username, and `Logon ID` of the user that created the group. - Domain, name, `SamAccountName`, and `SID` of the created group. Legacy: Event `636: Security Enabled Local Group Member Added`.
`Security`	Default configuration.	Event `4732: A member was added to a security-enabled local group`. Logged whenever an account is added to a local security group. Information of interest: - Domain, username, and `Logon ID` of the user that performed the action. - Target group and added user’s domain and username. Legacy: Event `636: Security Enabled Local Group Member Added`.
`Security`	Default configuration.	Event `4733: A member was removed from a security-enabled local group`. Logged whenever an account is removed from a local security group. Information of interest: - Domain, username, and `Logon ID` of the user that performed the action. - Target group and added user’s domain and username. Legacy: Event `636: Security Enabled Local Group Member Added`.

References

Tags:

View on GitHub