Friday, 4 September 2020

Hunting Local Accounts and Groups Changes using Sysmon

   Visibility on local accounts and groups changes is as important as for Domain ones for both good systems hygiene and security. attackers may add or change existing local account to persist, escalate privileges or simply to bypass any existing known accounts monitoring. In this post we will try to highlight some of the standard options to enable monitoring local accounts and also share some less known tricks that you can leverage using your existing Sysmon or EDR for hunting local accounts activities.

A) Windows Native Event Logs:

Windows provides good auditing for this category of changes under Account Management Audit Policy:


below example of event-id 4720 recording a local account creation activity:

adding user support to the local Administrators group is also covered by event-id 4732:


As can be seen, both events provide good details such as when, who did the action and other relevant details and it's important to capture those events where feasible. This method provides a reasonable resilience level but often subject to common audit policy and central logs collection issues.

B) Process Activity:

This is the most common approach, monitoring system command-line value such as net.exe or net1.exe with args containing keywords such as "/add", "administrators" is good and must have but not that resilient if the same activity is done via  APIs or using an uncommon utility.

C) APIs Hooking:

This approach consists of hooking relevant System APIs such as NetUserAdd, NetLocalGroupAddMemberNetUserSetInfo and NetLocalGroupSetInfo which is indeed a more resilient approach than the Process Command-line one but still subject to evasions techniques such as hooking/unhooking, direct Syscalls or RPC via MS-SAMR (SamrCreateUserInDomain, SamrAddMemberToGroup ):


D) Sysmon:

Sysmon provides great set of events covering different type of actions but none of them is specific to local accounts changes. one easy approach is to monitor process creation with user name like "MachineNamePatterns\*" but this provides clues on the activities conducted by a local account and not related to account creation or modification.

we know also that most local accounts activity tend to be saved on the SAM registry hive, and we also known that Sysmon provides visibility on Registry changes via events 12 (key creation or deletion) and 13 (registry value modification) so let's try to do the same action we did before with ProcMon ON and see if there are any relevant changes we can use for hunting:

Main changes that are relevant to our immediate hunting needs are:

  • New Local Account Name means new registry key HKLM\SAM\SAM\DOMAINS\Account\Users\Names\<accountname> (Sysmon 12 👍):

  • Similar to account creation, local account deletion can be detected using Sysmon EventID 12 (EventType eq to DeleteKey):

  • Account added or deleted from local Administrators Group means changes to HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\ 
00000220 is the local Administrators group Alias on Windows

which we can also confirm by looking at the changed binary data value

 000003F8 is a unique key name (RID) associated to the account support which was appended to the Administrators Alias C value: