Incident Response

Incident Response: Windows Account Management Event (Part 1)

To ensure a system performs well and maintains its integrity, it is extremely important to monitor and manage events on that system. Event Logs, which are part of the Windows system, originate from activities on the system and, therefore, an administrator or any user can check them locally or remotely at regular intervals. Additionally, Windows Account Management Events—which include critical logs related to user account creation, deletion, and modification—play a vital role in tracking identity-related changes. Subsequently, you can import and view these logs in a SIEM tool to support efficient Incident Response.

Table of Contents

  • Security Policy Settings
  • Advantage of security settings
  • Event Log
  • Account Management Events
  • Events in Windows 10 system

Security Policy Settings

Administrators use a set of rules to configure a computer or multiple devices for securing resources on a device or network. Moreover, the Security Settings extension of the Local Group Policy Editor enables you to define a security configuration as part of a Group Policy Object (GPO).

Administrators link the GPOs to Active Directory containers such as sites, domains, or organizational units, and as a result, they can manage security settings for multiple devices from any device joined to the domain. Furthermore, you can use security settings policies as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization.

Advantage of Security Setting

  • A user authenticates in a network or on a device.
  • Additionally, the system defines the resources that any user is permitted to access.
  • Whether to record a user’s or group’s actions in the event log.
  • Membership of a user in a group.

Event Log

The event logs typically record services from various sources and subsequently store them in a single location. These logs may include Security, System, and Application events. Therefore, as an incident responder, you should look for multiple sources of log information and also remember to examine older log files, which might be available in backup systems or volume shadow copies.

Moreover, when you assess the Event Logs, you will find that the Event IDs include various field details with them;

Windows Account Management Event (Part 1)

Account Management Events

The Account Management feature plays an extremely important role, and you can use these events to track the maintenance of user, group, and computer objects in Local Users and Groups, as well as in Active Directory.

Additionally, you can use Account Management events to track the creation of a new user account, any password resets, or any new members added to groups or removed from them.

Furthermore, you can categorize account management events into different types.

Events in Windows 10 system

To see how this works, let’s get you started with Account Management Events.

To view the security policy and setting, press ‘Windows+R’ and type

secpol.msc

Here, you can see that audit policies display ‘no auditing,’ and therefore, you need to activate them to view these events.

Windows Account Management Event (Part 1)

When you open the properties of audit account management, check the success and failure attempts and press ok.

Next, you can observe that the security setting has been updated, and as a result, the logs for account management are now active.

Now to Open Event Viewer, press ‘Windows+r’ and type

eventvwr.msc

So, let’s check the logs created by these events. Power on your Windows 10 systems.

Event ID 4720

Windows Account Management Event (Part 1)

To see how this works, open command-prompt, create a new user.

net user username /add

After you create a new user, you can see below that the 4720 event is created, and you can also view the account name.

Windows Account Management Event (Part 1)

Event ID 4722

Subsequently, after you enable a new user account, the system generates event 4722, along with the account name.

Event ID 4724

When the password for a user account was changed, it displays that an attempt to change the password was successful.

Windows Account Management Event (Part 1)

Event ID 4725

To disable a user account using command prompt, you can type

net user username /active:no

When you successfully disabled an account the results in the event viewer are displayed as below.

Windows Account Management Event (Part 1)

Event ID 4726

To delete a user account using command prompt, you can type

net user username /delete

When the account is deleted successfully, this event is created and the user account name is also displayed.

Windows Account Management Event (Part 1)

Event ID 4731

Go to local users and groups and created a new group. Here you see that a new group is created named ignite.

Windows Account Management Event (Part 1)

Furthermore, when you create a new security-enabled local group, you can see that the system generates this event in the Event Viewer along with its name.

Event ID 4732

Windows Account Management Event (Part 1)

To add a new member to the security-enabled local group, type

net localgroup groupname username /add

You see that the new member is added to the group and the user name is also displayed.

Event ID 4733

As a member is removed from the group, this event is generated.

Event ID 4734

Windows Account Management Event (Part 1)

To delete a security-enabled group using command prompt, you can type,

net localgroup groupname /delete

When the security-enabled local group is deleted, this event is generated and the name of the deleted group is also displayed.

Event ID 4735

When the security-enabled local group is changed, this event is generated and the name of the group is also displayed.

Windows Account Management Event (Part 1)

Event ID 4738

When the user account is changed, this event is displayed.

Event ID 4798

When a local user’s group is enumerated, you see that this log is created.

Windows Account Management Event (Part 1)

Conclusion

These were the Account management events in Windows 10, to view more on Windows Server 2016, part 2 is here.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here