YossiC 1 Posted May 27 Share Posted May 27 Hi guys, I'm trying to catch additions to the Local Admin group when it is done via mmc.exe, or PowerShell by anyone. The current rule "User added to Administrator group [F1000]" does not seem to trigger when it is done via mmc.exe. The only rule that does trigger is the Critical rule when the operation is done via the net command. Quote Link to comment Share on other sites More sharing options...
ESET Staff j91321 6 Posted May 27 ESET Staff Share Posted May 27 (edited) Adding user through mmc.exe to local administrator group doesn't have effect on the F1000 functionality. It generates the same detection as any other method. You do not see that it was done through mmc.exe because the User events are always tied to lsass.exe process. Edited May 27 by j91321 Quote Link to comment Share on other sites More sharing options...
YossiC 1 Posted May 27 Author Share Posted May 27 (edited) 1 hour ago, j91321 said: Adding user through mmc.exe to local administrator group doesn't have effect on the F1000 functionality. It generates the same detection as any other method. You do not see that it was done through mmc.exe because the User events are always tied to lsass.exe process. Hi, Thank you for the reply. Yes, this is what I saw through ProcMon after posting this. I have tried testing the rule on my endpoint but it does not trigger. I also checked there are no exclusions related to this, or Events related to lsass.exe with UserAddToGroup operation. Edited May 27 by YossiC Quote Link to comment Share on other sites More sharing options...
ESET Staff j91321 6 Posted May 29 ESET Staff Share Posted May 29 Well I'd probably need the dump of Raw Events from the machine when you were testing it to investigate this further (ProcMon trace could also be helpful) and also logs from the EI Agent (C:\ProgramData\ESET\INSPECT Connector\Logs). This event is generated through ETW channel and should be the same as the log you can see in the Windows Event Log (4735 I think). I would also try reinstalling the connector just to be sure, and also the usual stuff, make sure the connector is on the latest version and that the operating system version is supported. Quote Link to comment Share on other sites More sharing options...
YossiC 1 Posted May 29 Author Share Posted May 29 11 hours ago, j91321 said: Well I'd probably need the dump of Raw Events from the machine when you were testing it to investigate this further (ProcMon trace could also be helpful) and also logs from the EI Agent (C:\ProgramData\ESET\INSPECT Connector\Logs). This event is generated through ETW channel and should be the same as the log you can see in the Windows Event Log (4735 I think). I would also try reinstalling the connector just to be sure, and also the usual stuff, make sure the connector is on the latest version and that the operating system version is supported. Can I send you this over PM? Thanks. Quote Link to comment Share on other sites More sharing options...
Solution YossiC 1 Posted May 31 Author Solution Share Posted May 31 Seems the rule is depednant on "Audit Security Group Management". Events are being recorded only after this is enabled. j91321 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.