Evaluating Account Management Events
The account management category of events (as discussed in Chapter 12, “Windows Event Logs”) is used to record changes to accounts and group membership. This includes the creation, deletion, and disabling of accounts; modifying which accounts belong to which groups; account lockouts and reactivations; and a few other activities. By activating auditing for these events on a Windows system, you can detect many of the activities attackers perform after they gain access to a system. By default, only a Windows Server 2003 or 2008 domain controller will have this audit category enabled, and then it is enabled only for success events. Fortunately, we do not investigate the default. We investigate production environments ...
Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.