search
ngabalaax

Day 7: Account Management Events Lab

Objective:β€―Detect changes to user accounts and privileges by analyzing Security log account-management events. Events like 4720 (user account created), 4722/4725 (enabled/disabled), 4728/4732 (added to security-enabled group) are critical[2]arrow-up-right. Learners will filter for such events and interpret them.

Challenge Description:β€―An unexpected new administrator-level account has appeared on the Windows Server 2022 (DC01.TALOSEC.local) system. Your task is to determine who created the account, when it was created, and whether it was granted administrative privileges.

You’ll generate realistic account-management events by creating and modifying a user account, then use Event Viewer β†’ Security log to locate the related 4720 (account created) and 4732 (added to Administrators group) events. This exercise demonstrates how Security logs reveal identity-related changes and potential unauthorized privilege escalation.

Tools:β€―Event Viewer (Windows Logs β†’ Security).

hashtag
Simulation Setup β€” Generate the Events Before Analysis

🧠 Goal: Create and modify a test user so that your Server produces 4720, 4722, and 4732 events in the Security log.

hashtag
πŸ”Ή Step 1 β€” Log in to Your Domain Controller

  • VM: DC01.TALOSEC.local

  • Log in as: TALOSEC\Administrator

hashtag
πŸ”Ή Step 2 β€” Create a New Test User (Generates Event ID 4720)

You can do this in Command Prompt, PowerShell, or Active Directory Users and Computers (ADUC).

Option 1 β€” PowerShell

Open PowerShell (Admin) and run:

New-ADUser -Name "nasriadmin" -SamAccountName "nasriadmin" -AccountPassword (ConvertTo-SecureString "HooyoMcn143" -AsPlainText -Force) -Enabled $true

βœ… Result: This command creates a domain account testadmin and immediately enables it.

  • Event 4720 β†’ β€œA user account was created.”

  • Event 4722 β†’ β€œA user account was enabled.”

hashtag
πŸ”Ή Step 3 β€” Add the New User to Administrators Group (Generates Event 4732)

Run this PowerShell command:

Or for local admin (on a workstation/VM):

βœ… Result:

  • Event 4732 β†’ β€œA member was added to a security-enabled local group.” (If added to Domain Admins β†’ Event 4728)

hashtag
πŸ”Ή Step 4 β€” (Optional) Disable or Delete the User Later

To simulate more log events:

hashtag
Step-by-step Instructions:

1. Filter for Account Creation: In Event Viewer, select Windows Logs β†’ Security. Click Filter Current Log…,

  • In the right pane, click Filter Current Log…

  • In the Event IDs field, enter:

  • Click OK.

2. Review 4720 Events: Look for an entry with Event ID 4720. The details show who created the account (Subject) and which account was created (New Account). For example:

  1. Determine Group Membership: Now check if that new user was added to admin groups. Filter Security log for Event ID 4728 (added to global security group) or 4732 (added to local admin group). If found, it will show which group was modified and by whom.

  2. Interpret the Findings: In the example above, the built-in Administrator account created suspectuser. If the user is also added to the Administrators group (e.g., via Event 4732), this suggests privilege escalation. Note the Account Name fields: the Subject is the creator, and the New Account is the created user.

  3. Cross-verify with PowerShell Logs (optional): If PowerShell logging was enabled (Day 3), you could cross-check if a PowerShell script was used to create the account. Search for Event 4104 containing New-LocalUser or similar commands around that time.

PreviousDay #6 β€” Log Analysis Basics: Linux Auth Log (SSH Brute-Force Simulation)NextDay-8: Correlating Multiple Event Sources

Last updated