logging for ir - syntricate · pdf file · 2016-04-071 logging for ir introduction....
TRANSCRIPT
4/7/16
1
LoggingforIR
Introduction
4/7/16
2
• Introduction• OverviewofusinglogsforIR• Planninglogs• Detectionwithlogs• Investigationoflogs• Reportingusinglogs• OSSECLogconsolidationexample
ClassObjectives
Introduction
RobertComella
ITConsultantandEducator
GSEGCFWGSEC
GLDRGSPAGCIH
GCIAGCPMCISSP
4/7/16
3
Introduction
Gettingtoknowyou
Whatdoyoudo?Howdoyourateyourcybersecurity
knowledge?
Introduction
Currentsetup• LoggedintoWindows7GuestviaLogmein• TheguestisrunningonanUbuntuLTSsystem• ToviewtheUbuntusystemDoubleclickontheView_Server_##Icon.
• Donotviewthelowerrightworkspace(itwillshowinfiniteframeswithinframes)
4/7/16
4
RoleofLogsinIncidentResponse
LogsinIR
4/7/16
5
Logs:Preparation
• CreateLogPolicy• Whattolog• Howmuchdatatolog• Where tokeep logs• Howoftentorotatelogs• Howlongtokeep logs
• Defineknowngoodstates• Implementandauditlogpolicy
Logs:Detection
• LogsmajorsourceofIncidentdetection
• IRteamsshouldbeonthelookoutforimportantorunexpectedchanges• Newusersorgroups• SystemCrashes• AccessAttempts• Lackoflogs• Network Scans
4/7/16
6
Logs:Detection
• Itisbesttoreviewlogseveryday• Thisisboringandrepetitive• Humansaregenerallybadatboringandrepetitive
• Softwarebasedonrulescanimprovedetection
• Ruleswillneedtobecustomizedfortheenvironment
Logs:Containment• Logsfrommultiplesourceswillindicatethespreadofanincident
• Specificeventsondifferentsystemswillbesignsofinfection
• IRteamcanusethattoseetheboundariesofaproblem
4/7/16
7
Logs:Eradication• Logshelpinvestigatorstoseewhatchangesweremade• Filesthatwereadded• Usersthatarenew• Openports• NewSoftware
• Itisthenpossibletoremoveit
Logs:Recovery• Newlyrecoveredsystemshavelogsturnedup
• Theideaistoseeifinfectionre-occurs
• Iferadicationissuccessfulthenitshouldbeok
• Ifnotlogswillindicateundesiredchanges
4/7/16
8
Logs:LessonsLearned
• Logreportswillshoweventsastheyhappened
• Usethemtoinformmanagementofthingsthatwentwellandpoorly
PlanningWindowsLogs
4/7/16
9
• What Microsoft OS’s logs normally• What Microsoft OS’s can log
• **Suggestions for both**
Objectives
PreVersion7EventViewer
4/7/16
10
PostVersion7EventViewer
• DefaultwitheveryWindowsInstallation– AlthoughitsnottheonlyWindowslogfiles– Itcanauditsuccessesandfailures
• Application• Errors,Warnings,and Information
• Security• Dropped Packets,SuccessfulConnections• Logon/Logoffs
• System• Systemspecificevents
ModernWindows:ThreeMainLogs
4/7/16
11
• EventsloggedbysoftwareinstalledonaMicrosoftoperatingsystem
• Loglevelssetbyprogramdevelopers• Sometimestheycanbesetbyusers• NotallmessagesareusefulforAdmins(meantforProgramdevelopers)
• Eventshavethreelevelsofseverity
ModernWindows:Application
• Error:Asignificantproblemthathasorcouldcausedataloss– Application Failures/Crashes– BufferOverflows– Unexpected Shutdowns
• Warning:Aproblemthatisnotseriousnowbutcouldbecomesoifignored– MissingDLL’s– Incomplete installations– Troublesome firewallsettings
• Information:Describesanactionofaprogram.Canbealmostanythingadeveloperwantstoplaceintothelogs
ModernWindows:LogSeverity
4/7/16
12
• SimilartoApplicationlogs• DealsspecificallywithOperatingsystemevents
– Installationandremovalofsoftware– Patchstatus(installationsuccessorfailure)– Startupandshutdown messages– Driverinformation
• SamethreestatesasProgramEvents(Error,Warning,andInformation)
ModernWindows:SystemEvents
• Dealsspecificallywithinstallationofpatchesandothersoftware
• DomaincontrollerswillplaceadditionalinformationhereregardingActiveDirectoryeventsaswell
• Usesthesamethreestatesassystemandapplicationlogs
ModernWindows:SetupEvents
4/7/16
13
• Moreonthislater• Theseareeventsforwardedfromotherotherservers
• ThisispartofMicrosoft’sCentralLogsolution
ModernWindows:ForwardedEvents
• Tracksresourceuseonacomputer• Entriesarecalledaudits• Entrieshavetwostates
– Success: Whateverwasattemptedwaspermitted– Failure:Whateverwasattemptedfailed.Usuallyareasoncodeisincluded
• TheseeventsareMASSIVELYconfigurable• Veryfewareenabledinastandardinstall
ModernWindows:SecurityEvents
4/7/16
14
WindowsLogsLab1
ConfiguringWindowsLogs:LocalPolicy
• Securityloggingismodifiedinthelocalsecuritypolicyapplet
• Togetthere1. Clickthestartorbicon2. Type“local security
policy”3. Clickononeoftheresults
1
2
3
4/7/16
15
ConfiguringWindowsLogs:LocalPolicy• Oncelocalsecuritypolicyisopenyoumustnavigatetotheauditpolicyfolder
1
2
1. Clickonthesmalltrianglenexttolocalpolicies2. Chooseauditpolicy
• Tracks successand failureofauthentication events• Domain Controllers
– Tracks requests fordomainresources– EvenitemsnotdirectlycontrolledbytheDC
• NonDomainControllers– Tracks accountsforlocalusers– Thisisuseful even inadomain
• Examples include– 4776DomainControllerattemptedtovalidatecredentialsforanaccount– 4777DomainControllerFailedtovalidatecredentialsforanaccount
• Recommendation: TrackSuccessandFailureonallmachines
AuditPolicy:AccountLogonEvents
4/7/16
16
• Tracksaccount andgroup management– Computeraccounts– User Accounts– Groups
• Trackdifferentaspects– Creation– Destruction– Modification
• EventExamples– 4741Acomputeraccountwascreated– 4729Amemberwasremoved fromasecurityenabled globalgroup– 4720Auser accountwascreated
• Recommendation: TrackSuccessandFailureonallmachines
AuditPolicy:AccountManagement
• Tracksinteractiveandoverthenetworklogonstoacomputer– Tracksuserlog-ons– Replyattacks– Screenlockandunlockevents– Authenticationtoawirelessnetwork
• Eventexamples– 4634Anaccountwasloggedoff– 4624Anaccountwassuccessfully loggedon
• Recommendation:LogSuccessandFailureforallmachines
AuditPolicy:LogonEvents
4/7/16
17
• Thelogoneventtracksthelogonitself• Thereareseveraldifferenttypesofpossiblelogins
• Eacheventwillcontainantypecode• Examples
– 2,Interactive:Auserloggedonfromconsoletothiscomputer.
– 3,Network: Auserorcomputer loggedontothiscomputerfromthenetwork.
AuditPolicy:LogonEventtypes
• Trackschangestotheauditpoliciesthemselves– Changes– Additions– Removals
• EventExamples– 4715Theauditpolicy(SACL)onanobjectwaschanged– 4902Theperuserauditpolicy tablewascreated
• Recommendations:Auditsuccessandfailure.Changesshouldonlybedonebyknownindividualsandshouldbefullydocumented
AuditPolicy:PolicyChangeEvents
4/7/16
18
• Thiswillauditlowlevelprocessexecution– Codeexecution– File systemhandlecreationandrelease– Indirectobjectaccess– OtherlowlevelOSbehaviors
• Usuallyreservedforsystemdebugging• Cancausesignificantcomputerlag• Recommendation:Shouldremainoffunlessuserspecificallyneedsit
AuditPolicy:ProcessTrackingEvents
• Willtrackeachsuccess orfailureofauserrightaswellastheassignment oftheright
• Mostprivilegescoveredsome arenot– BypassTraverse checking– Debugprograms– Create a tokenobject– Replace processlevel token– Generate securityaudits– Backup/Restore FilesandDirectories
• Exampleevents– 4672Specialprivileges assigned tonew logon– 4673Aprivileged service wascalled
• Recommendations:Logonlyfailures,loggingsuccesses willfillthelogswiththousandsofevents duringnormalcomputeruse.
AuditPolicy:PrivilegeUseEvents
4/7/16
19
• Tracksmajorsystemevents– ComputerStart– ComputerShutdown– ClearingSystemlogs
• Eventexamples– 4608Windows isstartingup– 4609Windows isshuttingdown– 1102LogClear
• Recommendations:Auditsuccessandfailure
AuditPolicy:SystemEvents
WindowsLogsLab2
4/7/16
20
• Youmayhavenoticedweskippedtwo– AuditDirectory ServiceAccess– AuditObjectAccess
• Turningthemonisonlythefirststep• OnceonitisnecessarytomodifytheSecurityAccessControlListsofindividualitems(SACL’s)
AuditDirectoryServiceAccessandObjects
• Tracksaccesstoactivedirectoryobjects• TracksobjectsonlywhentheirSACLissettobetracked• Getsprettydeeponwhattoauditandwhatnotto• Recommendation
– Theoverallpolicy shouldbesettotracksuccessandfailure– Thisonlyenables theSACL’sonADobjects– IftheSACL’sarenotsetthenthiswilldonothing
AuditPolicy:DirectoryServiceAccess
4/7/16
21
ADSACL’sSettingupanSACLforanADobject
1. Turnonadvancedfeatures intheviewmenu
2. RightclickonanADobjectchoosepropertiesandthenthesecuritytab
3. Clicktheadvancedbutton
4. Choosetheauditingtab
5. Finallychooseadd
12
3
4
5
• SimilartoADobjectaccessonlyitdealswithallthingsnotintheADcontainers– Files– Folders– Printers– Registrykeys– BasicallyEVERYTHING else
• AgainthisonlyturnsontheSACL’s• EachobjectmusthaveitsindividualSACLsettocreateevents• Recommendation
– Setthistosuccessand failure– Otherwise SACL’snot active
AuditPolicy:AuditObjectAccess
4/7/16
22
• Itispossibletotrackeverything– Don’t!– Willcausecomputerslowdowns(asmuchas50%)– Toomuchuseless data
• Thingstoconsider(Generalpractice)– FilesandfoldersthatcontainproprietaryorsensitivedatafortheEveryonegroup(oranyothergroupthatshould nothaveaccess)
– AvoidAuditingRead/Listevents(producestremendousdata)– Donotauditexecuteactionsonexecutablefiles
• Possibleexception:Sensitiveordangeroustoolssuchasthoseintheadministrativetoolsfolder
SACL’sWhattotrack?
• Typeofserverisusuallyabaseline– IISserversarecommonlyattacked trackingheavilymaybejustified
– Domain controllersarebusybutusuallyinamoresecure location,trackinglesshere islikelyOK
– Database serversmaywishtotrackaccesstothedata
SACL’sWhattotrack?
4/7/16
23
• %Systemroot%and%ProgramFiles%-- UserEveryone– Delete– CreateFiles/WriteData– CreateFolders /Append Data– WriteAttributes– Change Permissions
• Why– Applications should writealltheir temp filesto%TEMP%not to
%Systemroot%and%ProgramFiles% ifthat isnothappening then itisinteresting
– Notallprogramsarewellbehaved -- individually markoutofordinarybehavior
SACL’sWhattotrack?
• %TEMP%-- Usereveryone– Carefulherecancausemassivedata– Ifyouareparanoidthenyoucan– Keepitsmall
• ChangePermissions• WriteAttributes• WriteExtendedAttributes
• AbetterapproachmaybetosimplyuseAntivirus
SACL’sWhattotrack?
4/7/16
24
• Allfilesandfoldersallusers• Track
– Takeownership– ChangePermissions
• Printers– Mostoftheirfunctions canbetrackedforeveryone– Doesnotproducemuchdataevenonabusyprinter– Notamajorsourceofbadness butcanfindmisuse
SACL’sWhattotrack?
• WhataboutADandregistry?• Ifyouhaveweekstoplaywiththemdoso!• Ifyouwantaneasiersolutiondonotstartfromscratch.• Securitytemplatesareavailable
– Microsoft– NSA– NIST– CIS
• Thetemplatescontaingoodsettingsfordifferentservers
SACL’sWhattotrack?
4/7/16
25
WindowsLogsLab3
WindowsLogPlanningContinued
4/7/16
26
• IfthewindowsserverisrunningDNSaDNSlogwillexist
• ItcanbeviewedfromwithintheDNSservice– ChooseDNSeventsfromtheconsole tree– DNSà [DNSServername]à EventViewerà DNSEvents
• ItcontainseventswhichrefertoDNSserveroperations
WindowsSpecialLogs:DNS
• Logfileschanged location– IIS5.0/6.0:%SYSTEMROOT%\System32\Logfiles– IIS7andup:%SYSTEMDRIVE%– ItisalsopossibletologdirectlytoanODBCcompliantdatabase
• SQL• Mysql• Access
• Logsarecontrolled fromwithin IIS– Bydefaultalllogsare on– Logscanbecontrolledfilebyfile
• Select properties onafile• Select the file tabanduncheck the“LogVisits”box(Before7)• There isan Iconnowafter 7
• Logsstored inanextended text format
WindowsSpecialLogs:IIS
4/7/16
27
• IISLoghelpfulhints– GetthemofftheserverASAP– Maintargetforhackers– WGETorSSLcanworkifnotusingODBCalready
WindowsSpecialLogs:IIS
• Priortowindows7eventlogsarestoredinaproprietaryformat(.evt)
• Theywerelocatedinthedirectory%SYSTEMROOT%\system32\config
• From7onthelogsarestoredinacompressedxmlformat
• Theyarenowlocatedin%SYSTEMROOT%\System32\Winevt\LOGS
• Itispossibletomovethefilestoadifferentlocation
LogFormatandlocation
4/7/16
28
• Logfilescannotgrowforever• Theyareassignedafinitesize
– Priortowin7thetotalsizehadtobekeptbelow300MB• Awellknown bugstilloccurs• Itprevents allevents frombeingwritten tothe logs
– FromWin7onthesizecangrowuptothesizeofthevolumethatcontainsthefile
• Logfilesizescanbemanuallysetorsetbysecuritytemplates
• 1MBcontainsabout7500logentries
LogFormatandlocation
• Overwriteeventsasneeded:Itwillstartwiththeoldesteventsandsimplybegintooverwrite
• Overwriteeventsolderthanxdays:Thenumberofdayscanbesetbytheadminandthelogswillbeginoverwritingtheoldesteventgreaterthanxdaysold
• Donotoverwriteevents(Clearlogsmanually):Justlikeitsays.Logsmustbeclearedmanually– Messagesarelostataminimum– Someapplicationswillnotrunwithoutloggingsothereforetheserverusuallyhangs
Optionsforfulllogfiles
4/7/16
29
Paranoidenvironments– Neveroverwrite– Canuseaprogramorascripttobackupuplogsthenclearthem
• Wevtutil sl<logname>/ca:<securityDescriptor>• Oneexample
– Ifattackersfilllogstocovertheirtracks• Serverwillhang• Butyou donot losethe logs• Theattackercansimplyclear logsthemselves iftheyhave theaccess
Optionsfordealingwithlogrotation
• CriticalServers– Overwriteafterxdays– Agoodplanistosetxtotwo timesyourbackup rate– Thatwayyouhavetwocompletesetof logsonyourbackuptapesatalltimes
• Otherservers/workstations– Overwriteasnecessary– Uptimeandlackofinterruptions forconvenience
Optionsfordealingwithlogrotation
4/7/16
30
• Moreonthislater• Makestheattackersjobmuchmoredifficult
– Logsarenotontheservertomanipulate– Can’tfilluptheserver(unlessinextreme)
• Otheradvantagesexist• Therearesomechallengesthatmustbeovercome
Centrallogging
Appendix:Loggingoptions1of2• TraverseFolder/ExecuteFile• Traverse Folderallowsordeniesmovingthroughfolderstoreachotherf ilesorfolders,evenif theuserhasnopermissionsfor thetraversedfolders.TraverseFoldertakeseffectonly
whenthegrouporuserisnotgrantedtheBypasstraversecheckinguserrightintheGroupPolicyManagementConsole.Bydefault,theEveryonegroupisgrantedtheBypasstraversecheckinguserright.(Appliestofoldersonly.)
• Execute File allowsordeniesrunningprogramf iles.(Appliestof ilesonly.)• SettingtheTraverse FolderpermissiononafolderdoesnotautomaticallysettheExecuteFile permissiononallf ileswithin thatfolder.• ListFolder/ReadData• ListFolderallowsordeniesviewing f ilenames andsubfoldernameswithinthefolder.ListFolderaffectsthecontentsofthatfolderonlyanddoesnotaffectwhetherthefolderyouare
settingthepermissiononwillbelisted.(Appliestofoldersonly.)• ReadData allowsordeniesviewing datainf iles. (Appliestof ilesonly.)• ReadAttributes• Allowsordeniesviewingtheattributesof af ileorfolder,suchasread-onlyandhidden.Attributesaredef inedbyNTFS.• ReadExtendedAttributes• Allowsordeniesviewingtheextended attributesof af ileorfolder.Extendedattributesaredef inedbyprogramsandmayvarybyprogram.• CreateFiles/WriteData• Create Files allowsordeniescreatingf iles withinthefolder.(Appliestofoldersonly.)• Write Dataallowsordeniesmaking changes tothef ileandoverwritingexistingcontent.(Appliestof ilesonly.)• CreateFolders/AppendData• Create Foldersallowsordeniescreatingfolderswithinthefolder.(Appliestofoldersonly.)• AppendDataallowsordeniesmaking changestotheendof thef ilebutnotchanging,deleting,oroverwritingexistingdata.(Appliestof ilesonly.)• WriteAttributes• Allowsordenieschangingtheattributesof af ileorfolder,suchasread-onlyorhidden.Attributesaredef inedbyNTFS.• TheWriteAttributespermissiondoesnotimplycreatingordeletingf ilesorfolders;itonlyincludesthepermissiontomakechangestotheattributesof af ileorfolder.Toallow(ordeny)
create ordelete operations,seeCreateFiles/WriteData,CreateFolders/AppendData,DeleteSubfoldersandFiles,and Delete .• WriteExtendedAttributes• Allowsordenieschangingtheextendedattributesof af ileorfolder.Extendedattributesaredef inedbyprogramsandmayvarybyprogram.• TheWriteExtended Attributespermissiondoesnotimplycreatingordeletingf ilesorfolders;itonlyincludesthepermissiontomakechangestotheattributesofaf ileorfolder.Toallow
(ordeny) createordeleteoperations,see CreateFiles/WriteData,CreateFolders/AppendData,DeleteSubfoldersandFiles,and Delete.• DeleteSubfoldersandFiles• Allowsordeniesdeletingsubfoldersandf iles,evenif theDelete permissionhasnotbeengrantedonthesubfolderorf ile.
4/7/16
31
Appendix:Loggingoptions2of2• Delete• Allowsordenies deleting the fileorfolder. If youdonothaveDelete permissionona fileorfolder,
youcanstilldelete it ifyouhavebeengranted Delete SubfoldersandFilesontheparent folder.• ReadPermissions• Allowsordenies readingpermissionsofthe fileorfolder, suchasFullControl,Read,andWrite.• ChangePermissions• Allowsordenies changingpermissionsofthefileor folder, suchasFullControl,Read, andWrite.• Take Ownership• Allowsordenies takingownershipofthe fileorfolder.The ownerofa fileorfoldercanalways
changepermissionsonit, regardless ofanyexistingpermissionsonthe fileorfolder.• Synchronize• Allowsordenies different threads towaitonthehandle forthe fileor folderandsynchronizewith
another thread thatmay signalit.Thispermissionappliesonlytomultithreaded, multiprocessprograms.
Appendix:LogonTypesLogon Type
Logon Title Description
2 Interactive A user logged on from console to this computer.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext.
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
4/7/16
32
W2k W2k3XP
Description
672 672 An authentication service (AS) ticket was successfully issued and validated (2000). An authentication service (AS) ticket was requested (2008). It is logged on DC Only.
673 673 A ticket granting service (TGS) ticket was granted. Win2003 and Win2008 use this for both successful and failed service ticket requests with the proper Kerberos result/failure code.
674 674 A security principal renewed an AS ticket or TGS ticket.
675 675 Preauthentication failed. This event is generated on a Key Distribution Center (KDC) for the Kerberos errors during authentication.
676 672 Authentication ticket request failed. See the Kerberos Error Code.
677 673 A TGS ticket was not granted (failed). This event 677 in Windows 2000 is replaced with 673 in Windows XP/2003 family) and 4769 with later versions with audit type/codes for failures.
678 678 An account was successfully mapped for logon to a domain account. Not common.
680 680 Account used for logon by. Logged for local user (local SAM) authentication. DC logs this event for NTLM authentication.
681 680 Logon failure on Windows 2000 for NTLM authentication. A domain account logon was attempted. This event is replaced with 680 in Windows XP/2003 family and 4776 with Windows 2008/Vista onwards with the audit type/codes for failures.
682 682 A user has reconnected to a disconnected terminal session.
683 683 A user disconnected a terminal session without logging off.
Appendix:PreVistaAccount(1of3)
W2k W2k3XP
Description
528 528 Successful logon: A user successfully logged on to a computer. For information about the type of logon, see the next section.
529 529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. For Windows 2008 and above, event ID 4625 logs every failed logon attempt with failure status code regardless of logon type or type of account.
530 530 Logon failure for a logon attempt to log on outside of the allowed time.
531 531 Logon failure for a logon attempt using a disabled account.
532 532 Logon failure for a logon attempt using an expired account.
533 533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534 534 Logon failure. The user attempted to log on with a type that is not allowed.
535 535 Logon failure. The password for the specified account has expired.
536 536 Logon failure. The Net Logon service is not active.
537 537 Logon failure. The logon attempt failed for other reasons. In some cases, the reason for the logon failure may not be known.
Appendix:PreVistaAccount(1of3)
4/7/16
33
Appendix:Events(3of3)W2k W2k3
XPDescription
538 538 The logoff process was completed for a user.
539 539 Logon failure. The account was locked out at the logon.
540 540 Successful network logon: A user successfully logged on over a network.
538 551 A user initiated the logoff process. It is logged for Interactive and RemoteInteractive logons in place of logoff event 538/4634.
552 552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
682 682 A user has reconnected to a disconnected terminal session.
683 683 A user disconnected a terminal session without logging off.
2012, 2008Vista, 7, 8
Description
4741 A computer account was created.
4742 A computer account was changed.
4743 A computer account was deleted.
4739 Domain Policy was changed.
4782 The password hash an account was accessed.
4727 A security enabled global group was created.
4728 A member was added to a security enabled global group.
4729 A member was removed from a security enabled global group.
4730 A security enabled global group was deleted.
4731 A security enabled local group was created.
4732 A member was added to a security enabled local group.
Appendix:AccountMgmt.(1of3)
4/7/16
34
2012, 2008Vista, 7, 8
Description
4733 A member was removed from a security enabled local group.
4734 A security enabled local group was deleted.
4735 A security enabled local group was changed.
4737 A security enabled global group was changed.
4754 A security enabled universal group was created.
4755 A security enabled universal group was changed.
4756 A member was added to a security enabled universal group.
4757 A member was removed from a security enabled universal group.
4758 A security enabled universal group was deleted.
4720 A user account was created.
4722 A user account was enabled.
Appendix:AccountMgmt.(2of3)
2012, 2008Vista, 7, 8
Description
4723 An attempt was made to change an account's password.
4724 An attempt was made to reset an account's password.
4725 A user account was disabled.
4726 A user account was deleted.
4738 A user account was changed.
4740 A user account was locked out.
4765 SID History was added to an account.
4766 An attempt to add SID History to an account failed.
4767 A user account was unlocked.
4780 The ACL was set on accounts which are members of administrators groups.
4781 The name of an account was changed:
Appendix:AccountMgmt.(3of3)