Windows Administrative Activity

Owned by Steve Challans
Last updated: Feb 09, 2024
3 min read

The Windows Administrative Activity dashboard shows an overview of Windows administrative Activity in the environment. Key actions such as user accounts added and removed, audit logs cleared, Applocker events, Windows Group changes, and system audit policy changes. Many of these functions are part of normal day to day operations but can also be used for malicious activity. Some parts of the dashboard only show data for the last 4 hours as some Windows systems can generate massive events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.

The key dashboard components are:

  • Audit Logs cleared - the system audit logs should rarely if ever be cleared. If an audit log is cleared windows generates specific audit events depending on which log was cleared. A hacker will usually attempt to clear the audit logs in an attempt to mask their activity on the system. In general if Snare agents are running they will capture all the user activity including when the hacker attempts to login, and gain privileged access and send the logs in real time up to the the point the hacker then attempts to stop the audit and collection system on the host. As the Snare agent sends the logs in near real time to the central log collection system all of the early valuable forensics can be collected before anything is disabled. 

  • Windows Accounts Creation and Deletion - when an account is added or removed it should be part of approved change control activity. Any unauthorized account changes should be investigated. A key activity a hacker will do is add an account to the system to they can come back later on and login when ever they want to.

  • Windows Group Changes. - Users are added and removed to groups as part of normal user management. However if a group is added to another group it can inherit that other groups role access. In particular when users are added to specific groups such as the local administrators and domain administrators and users in those groups now has elevated privileges. Sometimes a hacker can try to mask their access levels by nesting the groups within groups and grant some group admin or some other privileged access as part of this process. So any systems that are generating events of group change activity should be investigated being any of a workstation, Server or domain controller they all have their own risk profile and level of privileged access. 

  • User Account Changes - will detail users that have had their details changes relating to some permission level in some form or added to other users and groups. Again these sorts of changes should be approved from a change control process.

  • Audit Policy Changes - Windows policy changed can produce audit events. If the policy changes are not part of approved activity then they should be investigated. Changes to audit policy can either strengthen the policy or weaken it so any changes need to be performed with caution and with care. Incorrect policy changes can open the windows network to abuse and make it easier for a hacker to gain access.

  • There are a number of status blocks on the page on the left that cover the actual numbers of that class of activity for today. Unusual change rates should be investigated if it was unauthorized or malicious activity. The status blocks are covering:

    • Event Logs cleared

    • Accounts created and Deleted

    • Groups being added or removed

    • User accounts being changed

    • Groups being added or removed

    • Windows Audit policy changes.

image-20240209-015613.png

Â