KenMAG
commented
5 months ago I will attempt to duplicate this.
Closed djcmct closed 2 months ago
KenMAG
commented
5 months ago I will attempt to duplicate this.
MSFT-MarcoEs
commented
3 months ago @KenMAG I did saw this issue:
KenMAG
commented
2 months ago I just updated this lab. So, I am closing this for now. Let me know if it is fixed or not. Thanks.
Contact Details
davecooke1967@gmail.com
What happened?
Auditing not enabled correctly on WINServer.
I know the issue regarding Auditing of 4688 events was recently resolved, unfortunately that fix seems to have broken auditing of 4732 events, consequently, the command to create the local user account and add it to the local administrators group is not recorded and the subsequent detections fail. This can be fixed by enabling Account Management events in the local Audit Policy, but this gets undone if WINServer is rebooted
Lab
Lab 07 Exercise 06 Create Detections
Relevant screenshots
paste here 😉
Do you want to help us? 👏