Kaseya Community

Security Log Monitoring for new Admin Users

  • Soo... there's a lot of attempted hacking going on at the moment.

    I think all of us would like to monitor for users that have been added to Administrators, Domain Admins, Schema Admins, and Enterprise Admins.

    I've had a go but it looks as if the Event ID monitoring is a bit different for the Security Log. There doesn't seem to be a Description for this event.

    Have any of you managed to get this working? Here's a sample Event:

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 02/07/2016 16:48:36
    Event ID: 4728
    Task Category: Security Group Management
    Level: Information
    Keywords: Audit Success
    User: N/A
    Computer: CT-SERVER01.CONTOSO.local
    A member was added to a security-enabled global group.

    Security ID: CONTOSO\administrator
    Account Name: administrator
    Account Domain: CONTOSO
    Logon ID: 0xf14e5d4

    Security ID: CONTOSO\eventdata
    Account Name: CN=event data,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=CONTOSO,DC=local

    Security ID: CONTOSO\Domain Admins
    Group Name: Domain Admins
    Group Domain: CONTOSO

    Additional Information:
    Privileges: -
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <TimeCreated SystemTime="2016-07-02T15:48:36.808618200Z" />
    <Correlation />
    <Execution ProcessID="676" ThreadID="8372" />
    <Security />
    <Data Name="MemberName">CN=event data,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=CONTOSO,DC=local</Data>
    <Data Name="MemberSid">S-1-5-21-4003249773-4060424937-2708103478-1238</Data>
    <Data Name="TargetUserName">Domain Admins</Data>
    <Data Name="TargetDomainName">CONTOSO</Data>
    <Data Name="TargetSid">S-1-5-21-4003249773-4060424937-2708103478-512</Data>
    <Data Name="SubjectUserSid">S-1-5-21-4003249773-4060424937-2708103478-1203</Data>
    <Data Name="SubjectUserName">administrator</Data>
    <Data Name="SubjectDomainName">CONTOSO</Data>
    <Data Name="SubjectLogonId">0xf14e5d4</Data>
    <Data Name="PrivilegeList">-</Data>

    Updated title
    [edited by: Lothario at 9:18 AM (GMT -7) on Jul 4, 2016]
  • , the description may be everything that comes after the word "Description:".   You could probably look for "*a member was added*", and see what you get.

    Another alternative might be to write a script that dumps all users to a text file, then use the "GET File" to pull it back in, and alarm when it changes.

  • I can't seem to monitor events in the Security Log. Has anyone managed to do this?

  • Hello Lothario,

    Get-EventLog -logname Security -After (Get-Date).AddDays(-1) | where {$_.eventID -eq 4728 -and $_.Message.Contains("Domain Admins")} | format-List

    Will give you a list of all users that have been added to the Domain Admins group.

    You can run this daily in a procedure with an ExecutePowershellCommand step (the command filters the log getting only the "past day" entries).
    Or if KNM works for you, a monitor with the same.

    There are other events you could monitor:

    4727  - A security-enabled global group was created.

    4728 - A member was added to a security-enabled global group.

    4729 - A member was removed from a security-enabled global group.

    4730 - A security-enabled global group was deleted.

    4731 - A security-enabled local group was created.

    4732 - A member was added to a security-enabled local group.

    4733 - A member was removed from a security-enabled local group.

    4734 - A security-enabled local group was deleted.

    4735 - A security-enabled local group was changed.

    4737 - A security-enabled global group was changed.

    4754 - A security-enabled universal group was created.

    4755 - A security-enabled universal group was changed.

    4756 - A member was added to a security-enabled universal group.

    4757 - A member was removed from a security-enabled universal group.

    4758 - A security-enabled universal group was deleted.

    4764 - A group’s type was changed.

    Make sure you have enabled Auditing for your AD otherwise you get nothing :-)

    Below you can see a sample from one of my DCs that shows it's working (I have obscured private information but you get the idea).

    Best Regards

  • Thanks Allessandro, you have saved my day again! What a pity that Kaseya can't directly monitor the log.

    I will post back here again once I have played around with this.

  • Hello Lothario,

    In reality Kaseya CAN monitor events on its own (I just like Powershell cause I find it easier to "debug" and I have more control on the "conditions").

    If you want to go the "regular" way go to: Agent Monitoring -> Event Log Alerts.
    Define your Log Alert Filter (here is a sample that query Domain Admin changes like the Powershell did):

    Setup your threshold, re-arm and assign to as many servers as needed.

    Including the ability to set an Action such as running a procedure every time the event happens.

    Choose what you like.

    Best Regards

  • Hi  

    If you are having trouble monitoring the events in the Security Logs, I would check if its all events or specific events.

    Events can be blacklisted from collection, alarms can be suspended on devices, but 95% of the time alerts not generating is due to the filters used in the event set applied (Event sets are very picky about the filters you apply and must match exactly).

    Can you show us your configuration that is currently being used within the Event Log section?

  • I'd rather use Event Log monitoring so I can catch the event as it happens. The PowerShell command is quite elegant, but that would require running it on all servers every x hours.

    Here is my Event Set.

    I apply it with a Policy - settings below:

    I'm not getting anything when I add a user to Domain Admins. I can see that it's being logged in the Security Logs as per the original post.

    Fixed a problem where I was using the wrong Event Set. Has resolved the problem. I'll leave this here for anyone's benefit.
    [edited by: Lothario at 8:58 AM (GMT -7) on Jul 5, 2016]
  • Hello Lothario,

    Try Removing the last Entry with: BUILTIN\Administrators.

    In my test when that was inside I was not getting anything.

    Once I removed it, it worked.

    It may have to do with the "\" character that may either need to be escaped or messes up the parser somehow.

    Best Regards

  • Wouldn't a single entry with "*Admin*" find all of those cases, including the builtin account?


  • Hi Glenn, it would, but it would also create tickets for users added to Printer Admins, Desktop Admins, etc.

  • I was just setting this up and ran into the Enterprise and Schema Event ID's that are not the same as the Domain Admins.  You may want to verify this.