Detect Domain Admins Logons to Workstations


  • Share on Pinterest

This is a short blog that shows one technique of detecting logons of Domain Administrators (DA) to workstations from your SIEM. This is very important as it signals either malicious activity or policy violation by your admins.

Requirements

  • Audit Group Membership audit policy must be enabled from Logon/Logoff category.
  • WINDOWS_DC_HOSTS list in the SIEM that contains hostname of all Domain Controllers (DC) in the AD.

Note that ENABLING of Audit Group Membership audit policy is recommended both by CIS and Microsoft.

The Event ID of interest is 4627 that shows the list of groups that the logged-on account belongs to. Event ID 4627 is generated along with each successful logon (4624) making this event as noisy as 4624.

Sample SIEM query that will hunt for Domain Admin logons to Workstations is:

EventSource=MicrosoftWindows EventID=4627 -user=*$ -host IN WINDOWS_DC_HOSTS
-domain IN ["Window Manager", "Font Driver Host"] GroupMembership="*-512}*"

Query Breakdown

  • -domain IN [“Window Manager”, “Font Driver Host”] is required as even a single user logon generates multiple 4624 events originating from different system processes like winlogon.exe, services.exe, etc.
  • -user=*$ filters out computer accounts.
  • -host IN WINDOWS_DC_HOSTS filters out domain controllers.
  • GroupMembership=”*-512}*” will hunt for Domain Admins (DA) as S-1-5-21-<domain>-512 is the SID of DA.
    Remember that Event Viewer in Windows will resolve SIDs so that you cannot search “*Domain Admins*” even though this is what you see in the Event Viewer’s UI.

Note that this technique can even detect logons by new Domain Admins created by attackers and that the provided query can be easily modified to hunt for say Enterprise Admin logons to workstations.

PS: Notice how 4627 also has logon type field. Thus, you can further refine the search query to look for specific logon types like RDP.

Conclusion

This blog shows one of many possible ways to detect Domain Admins logons to workstations which must not be allowed in Enterprise environments for obvious reasons. Microsoft has a nice guide on securing Domain Admins Groups in Active Directory.