I know the issue regarding Auditing of 4688 events was recently resolved, unfortunately that fix seems to have broken auditing of 4732 events, consequently, the command to create the local user account and add it to the local administrators group is not recorded and the subsequent detections fail.
This can be fixed by enabling Account Management events in the local Audit Policy, but this gets undone if WINServer is rebooted
Lab
Lab 07 Exercise 06 Create Detections
Relevant screenshots
paste here 😉
Do you want to help us? 👏
[ ] Create a Pull Requestt by following this project's Contribution Guide
Contact Details
davecooke1967@gmail.com
What happened?
Auditing not enabled correctly on WINServer.
I know the issue regarding Auditing of 4688 events was recently resolved, unfortunately that fix seems to have broken auditing of 4732 events, consequently, the command to create the local user account and add it to the local administrators group is not recorded and the subsequent detections fail. This can be fixed by enabling Account Management events in the local Audit Policy, but this gets undone if WINServer is rebooted
Lab
Lab 07 Exercise 06 Create Detections
Relevant screenshots
paste here 😉
Do you want to help us? 👏