timpoetker Absent Member.
Absent Member.
387 views

Monitoring of Privileged AD Account Usage

Hi all.

I've been working on a problem trying to track the usage of a privileged account within Windows. I have my active list of the accounts I'm really interested in. And the rule is half working. Does pick up when a DA account generates a logon event on the domain controllers, which doesn't really solve the use case.

The question is how do I capture the other events that don't go through the DC's. For example, when a user does a Run As, or when a user uses remote desktop to log into a server using a privileged account, these activities don't generate an event the DCs will pick up based on random testing.  Maybe my eyes have glazed over because I've been obsessing with this too long and missing something fairly easy. As far as I can figure, the only way to capture these privileged events is to have a connector watching the local security logs of each and every end point but that would blow our licensing through the roof and cost $$$$$$$$$ (not sure if that's enough dollar signs).

Any suggestions out there?

Labels (1)
0 Likes
Reply
3 Replies
myron007 Absent Member.
Absent Member.

Re: Monitoring of Privileged AD Account Usage

Hi Tim,

Having an Active list of all the domain admins and enterprise admin users is a good step. This can help you to achieve your task.

You mentioned about users running a service/executable with "Run as". These events are tagged with "deviceEventClassId=Security:552" security code. These are processes run with explicit credentials.

You can than get all the destinationuserName's from these events and compare with the one's you have in the Active List.

You can also look for all account management events and than compare them with the users you have in the active list.

To do this in the Microsoft environment, look for { deviceCustomString2="Account Management"}. These are all account management events generated on the DC.

On Linux you can also look out for events that are originating from "root" and "su". Detecting root is fairly simple. To detect su usage, you can look for { deviceProcessName=su AND name="su succeeded" }

Let me know if it works.

0 Likes
Reply
Codefire1 Absent Member.
Absent Member.

Re: Monitoring of Privileged AD Account Usage

Be mindful that the "deviceEventClassId" varies by OS version. I find that for Windows-based events using, "externalId" is a bit easier and less variable. The externalId field is just the numeric representation of the event code: where deviceEventClassId=Security:552 ->externalId=552 etc.

0 Likes
Reply
myron007 Absent Member.
Absent Member.

Re: Monitoring of Privileged AD Account Usage

Thanks Adam! Works great at our end..

Tim, did it solve your concern?

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.