Detect changes to groups, accounts, and policies in a Windows event log.
Attackers will frequently modify user accounts, the groups to which they belong, and the policies that impact what they can do on a system. These changes can not only provide valuable information about the current incident but also indicate what other systems may have been compromised if an attacker gains control of an account with wide-ranging access.
Master It You are called to the scene of an intrusion where the administrator believes that an attacker may have created an account on a system. What Event IDs might you search for to help locate such activity?
Solution On a Server 2008 machine (or Windows Vista and Windows 7), Event ID 4720 ...