TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Windows
SUMMARY: Starter Queries for Windows Security
Query List
Adding/Removing Accounts from Groups
Adding/Removing Accounts from Groups
Description
This search returns all instances of accounts being added or removed from Windows groups. These groups could be local groups or Domain groups. The search can be further filtered by specifying the name of a group or groups of interest. Examples of this are documented in the Additional Filter Options section.
Search Query
from logs
| where event.provider=="Microsoft-Windows-Security-Auditing"
| where event.code=="4728" OR event.code=="4732" OR event.code=="4746" OR event.code=="4751" OR event.code=="4756" OR event.code=="4761" OR event.code=="4729" OR event.code=="4733" OR event.code=="4747" OR event.code=="4752" OR event.code=="4757" OR event.code=="4762"
| keep host.hostname, event.code, winlog.event_data.MemberName, winlog.event_data.MemberSid, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName
Additional Filter Options
Limit to Local Privileged Groups
This query adds a filter to focus on two local groups (Administrators and Remote Desktop Users). These two default groups grant extra privilege to their members with Administrators granting full admin rights and Remote Desktop Users granting the ability to logon over RDP. Both of these groups are used by threat actors to gain persistence.
from logs
| where event.provider=="Microsoft-Windows-Security-Auditing"
| where event.code=="4728" OR event.code=="4732" OR event.code=="4746" OR event.code=="4751" OR event.code=="4756" OR event.code=="4761" OR event.code=="4729" OR event.code=="4733" OR event.code=="4747" OR event.code=="4752" OR event.code=="4757" OR event.code=="4762"
| where winlog.event_data.TargetUserName=="Administrators" OR winlog.event_data.TargetUserName=="Remote Desktop Users"
| keep host.hostname, event.code, winlog.event_data.MemberName, winlog.event_data.MemberSid, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName
Limit to Domain Privileged Groups
This query adds a filter to focus on three domain groups (Enterprise Admins, Domain Admins, Account Operators). These three default groups grant extra privilege to their members with Enterprise Admins granting full admin rights to all domains in a forest, Domain Admins granting full admin rights to the local domain, and Account Operators granting rights allowing for management of domain accounts.
from logs
| where event.provider=="Microsoft-Windows-Security-Auditing"
| where event.code=="4728" OR event.code=="4732" OR event.code=="4746" OR event.code=="4751" OR event.code=="4756" OR event.code=="4761" OR event.code=="4729" OR event.code=="4733" OR event.code=="4747" OR event.code=="4752" OR event.code=="4757" OR event.code=="4762"
| where winlog.event_data.TargetUserName=="Domain Admins" OR winlog.event_data.TargetUserName=="Account Operators" OR winlog.event_data.TargetUserName=="Enterprise Admins" | keep host.hostname, event.code, winlog.event_data.MemberName, winlog.event_data.MemberSid, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName
Event Code Breakdown
Event Code |
Description |
---|---|
4728 |
A member was added to a security-enabled global group |
4729 |
A member was removed from a security-enabled global group |
4732 |
A member was added to a security-enabled local group |
4733 |
A member was removed from a security-enabled local group |
4746 |
A member was added to a security-disabled local group |
4747 |
A member was removed from a security-disabled local group |
4751 |
A member was added to a security-disabled global group |
4752 |
A member was removed from a security-disabled global group |
4756 |
A member was added to a security-enabled universal group |
4757 |
A member was removed from a security-enabled universal group |
4761 |
A member was added to a security-disabled universal group |
4762 |
A member was removed from a security-disabled universal group |
Kept Field Descriptions
Field |
Description |
---|---|
MemberName |
Contains the Distinguished Name (DN) of the account added or removed from the designated group. For local accounts, this has a value of “-”. |
MemberSid |
Contains the Security Identifier (SID) of the account added or removed from the designated group. |
TargetDomainName |
The Domain of the group. |
TargetUserName |
The Name of the group |
SubjectDomainName |
The Domain of the account performing the action. |
SubjectUserName |
The Name of the account performing the action. |
Group Management Events
Description
This search returns data describing the creation or deletion of Windows groups. This includes both local and Domain groups.
Search Query
from logs
| where event.provider=="Microsoft-Windows-Security-Auditing"
| where event.code=="4727" OR event.code=="4731" OR event.code=="4744" OR event.code=="4749" OR event.code=="4754" OR event.code=="4759" OR event.code=="4730" OR event.code=="4734" OR event.code=="4748" OR event.code=="4753" OR event.code=="4758" OR event.code=="4763"
| keep host.hostname, event.code, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName
Event Code Breakdown
Event Code |
Description |
---|---|
4731 |
A security-enabled local group was created |
4734 |
A security-enabled local group was deleted |
4744 |
A security-disabled local group was created |
4748 |
A security-disabled local group was deleted |
4749 |
A security-disabled global group was created |
4753 |
A security-disabled global group was deleted |
4754 |
A security-enabled universal group was created |
4758 |
A security-enabled universal group was deleted |
4759 |
A security-disabled universal group was created |
4763 |
A security-disabled universal group was deleted |
Kept Field Breakdown
Field |
Description |
---|---|
host.hostname |
The Name of the host where the group was created or deleted. This will be a Domain Controller if the group was a Domain group. |
TargetDomainName |
The Domain of the group that was created or deleted. |
TargetUserName |
The Name of the group that was created or deleted. |
SubjectDomainName |
The Domain of the account that created or deleted the group. |
SubjectUserName |
The Name of the account that created or deleted the group. |
Account Management Events
Description
This query returns results indicating the creation, modification, or deletion of an account. Modification is limited to disabling or enabling the account.
Search Query
from logs
| where event.provider=="Microsoft-Windows-Security-Auditing"
| where event.code=="4720" OR event.code=="4722" OR event.code=="4725" OR event.code=="4726" OR event.code=="4741" OR event.code=="4743"
| keep host.hostname, event.code, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName, winlog.event_data.SubjectLogonId, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.DisplayName
Event Code Breakdown
Event Code |
Description |
---|---|
4720 |
A user account was created |
4722 |
A user account was enabled |
4725 |
A user account was disabled |
4726 |
A user account was deleted |
4741 |
A computer account was created |
4743 |
A computer account was deleted |
Kept Field Breakdown
Field |
Description |
---|---|
host.hostname |
The name of the host the account was created on. |
SubjectDomainName |
The Domain of the account that performed the creation, modification, or deletion. |
SubjectUserName |
The Name of the account that performed the creation, modification, or deletion. |
SubjectLogonId |
The session the action was performed in. |
TargetDomainName |
The Domain of the account created, modified, or deleted. |
TargetUserName |
The Name of the account created, modified, or deleted. |
DisplayName |
The “friendly” name of the account created, modified, or deleted. |
Password Resets
Description
This query returns instances where one account resets the password of another. This is uniquely different from a normal password change event which is when an account changes its own password.
Search Query
from logs
| where event.provider=="Microsoft-Windows-Security-Auditing"
| where event.code=="4724"
| keep host.hostname, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName, winlog.event_data.SubjectLogonId, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName
Event Code Breakdown
Event Code |
Description |
---|---|
4724 |
An account’s password was reset. |
Kept Field Breakdown
Field |
Description |
---|---|
host.hostname |
The name of the system where the affected account resides. This will be a Domain Controller if the account is a Domain account. |
SubjectDomainName |
The Domain of the account performing the password reset. |
SubjectUserName |
The Name of the account performing the password reset. |
SubjectLogonId |
The session that the action took place in. |
TargetDomainName |
The Domain of the account affected by the password reset. |
TargetUserName |
The Name of the account affected by the password reset. |