O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Evaluating Account Management Events

The account management category of events (as discussed in Chapter 12, “Windows Event Logs”) is used to record changes to accounts and group membership. This includes the creation, deletion, and disabling of accounts; modifying which accounts belong to which groups; account lockouts and reactivations; and a few other activities. By activating auditing for these events on a Windows system, you can detect many of the activities attackers perform after they gain access to a system. By default, only a Windows Server 2003 or 2008 domain controller will have this audit category enabled, and then it is enabled only for success events. Fortunately, we do not investigate the default. We investigate production environments ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required