Thursday, September 3, 2015

Splunk Investigation - Who Enabled That Account

The objective of this post is to quickly determine through the use of splunk, who enabled a particular account.

Using search "SecurityNik" produced " 28,376 events (before 7/10/15 11:13:04.000 AM)" results.
The above starts across "All Time"

From below, we see that on "07/08/2015 06:31:55 PM" "SecurityNik" account was disabled by user "OtherAdmin" on computer "SecurityNik_DC.securitynik.com". "SecurityNik_DC.securitynik.com" is one of the Domain Controllers.

07/08/2015 06:31:55 PM
    EventCode=4738
    Message=A user account was changed
    ComputerName=SecurityNik_DC.securitynik.com
   
    Subject:
        Security ID:    SECURITYNIK\OtherAdmin
        Logon ID:    0x13309228
           
    Target Account:
            Security ID:    SECURITYNIK\SecurityNik    
       
        Old UAC Value:    0x10210
        New UAC Value:    0x10211
       
        User Account Control:    Account Disabled
   

Below shows that the account "SecurityNik" was disabled on "03/13/2015 11:27:03 AM" by user "SecurityAdmin". While above it was disabled on the Domain Controller "SecurityNik_DC.securitynik.com", in this case it was disabled on "SECURITYNIK_TS".

03/13/2015 11:27:03 AM
    EventCode=4738
    Message=A user account was changed
    ComputerName=SECURITYNIK_TS
   
     Subject:
        Security ID:    SECURITYNIK_TS\SecurityAdmin
        Logon ID:    0x85817e4d
       
        Target Account:
            Security ID:    SECURITYNIK_TS\SecurityNik
       
        Old UAC Value:    0x10
        New UAC Value:    0x11
       
        User Account Control:   
            Account Disabled



Analyzing "SECURITYNIK_TS"

running the command "C:\>net user | findstr /i SecurityNik" determined that the user "SecurityNik" has an account on "SECURITYNIK_TS"
   

Learning more about account "SecurityNik"

running "C:\>net user SecurityNik" shows (none relevant information extracted)
    User name                    SecurityNik
    Full Name                    SecurityNik
    Account active               No
    Last logon                   7/20/2014 10:42:40 PM
   
The information above confirms that the "SecurityNik" account is disabled on computer "SECURITYNIK_TS"


"SecurityNik" account being enabled on "SECURITYNIK_TS"

Below shows that "SecurityNik" account was enabled on "SECURITYNIK_TS" by user "SecurityAdmin". Please note this "SecurityAdmin" account is for the local machine and not the Domain.

06/10/2014 04:38:00 PM
    EventCode=4738
    ComputerName=SECURITYNIK_TS
    Message=A user account was changed.
   
   
    Subject:
        Security ID:    SECURITYNIK_TS\SecurityAdmin
        Logon ID:        0x4a072799

    Target Account:
        Security ID:    SECURITYNIK_TS\SecurityNik
       
    User Account Control:   
        Account Enabled

   

"SecurityNik" account being enabled on "SecurityNik_DC.securitynik.com"

Below shows that the account "SecurityNik" was enabled on "06/10/2014 10:12:52 AM" by user "OtherAdmin."
   
    06/10/2014 10:12:52 AM
    EventCode=4738
    ComputerName=SecurityNik_DC.securitynik.com
    Message=A user account was changed.
   
    Subject:
        Security ID:    SECURITYNIK\OtherAdmin        
        Logon ID:        0xa6644425
   
    Target Account:
        Security ID:    SECURITYNIK\SecurityNik
       
    User Account Control:   
        Account Enabled
   

The findings at this point is that for the domain "securitynik.com" user "SecurityNik" was last enabled on "06/10/2014 10:12:52 AM" by account "OtherAdmin". In addition, the account for "SecurityNik" was also enabled on computer "SECURITYNIK_TS" by account "SecurityAdmin"

2 comments: