Windows Administrative Activity

Owned by Steve Challans
Last updated: Sept 20, 2019
3 min read

The Windows Administrative Activity dashboard shows an overview of Windows administrative Activity in the environment. Key actions such as user accounts added and removed, audit logs cleared, Applocker events, Windows Group changes, and system audit policy changes. Many of these functions are part of normal day to day operations but can also be used for malicious activity. The key dashboard components are:

  • Windows Accounts Added or Removed - when an account is added or removed it should be part of approved change control activity. Any unauthorised account changes should be investigated. A key activity a hacker will do is add an account to the system to they can come back later on and login when ever they want to.
  • Audit Logs cleared - the system audit logs should rarely if ever be cleared. If an audit log is cleared windows generates specific audit events depending on which log was cleared. A hacker will usually attempt to clear the audit logs in an attempt to mask their activity on the system. In general if Snare agents are running they will capture all the user activity including when the hacker attempts to login, and gain privileged access and send the logs in real time up to the the point the hacker then attempts to stop the audit and collection system on the host. As the Snare agent sends the logs in near real time to the central log collection system all of the early valuable forensics can be collected before anything is disabled. 
  • AppLocker Alerts - Windows AppLocker is Microsoft's application white listing  feature. It can generate many types of events detailing what the users are doing and if they are attempting to run unauthorised applications or install an run unauthorised software. It can also track what users are allowed tor run.  This chart shows a summary of the usage activity. 
  • Windows Group Changes. - Users are added and removed to groups as part of normal user management. However if a group is added to another group it can inherit that other groups role access. In particular when users are added to specific groups such as the local administrators and domain administrators and users in those groups now has elevated privileges. Sometimes a hacker can try to mask their access levels by nesting the groups within groups and grant some group admin or some other privileged access as part of this process. So any systems that are generating events of group change activity should be investigated being any of a workstation, Server or domain controller they all have their own risk profile and level of privileged access. 
  • Audit Policy Changes - Windows policy changed can produce audit events. If the policy changes are not part of approved activity then they should be investigated. Changes to audit policy can either strengthen the policy or weaken it so any changes need to be performed with caution and with care. Incorrect policy changes can open the windows network to abuse and make it easier for a hacker to gain access. 

v2 Dashboards