5 Replies Latest reply on Mar 26, 2014 7:17 AM by curtisi

    How to capture failed 'Run as Administrator' events on a Windows domain?


      Does anyone have insight into how MS Audit Policy can be used to capture failed 'Run as Administrator' attempts without having to install LEM agents on all workstations?


      I've been attempting to capture these events for a couple days now and can't figure out how or if it can be done.  We currently have our Default Domain Controller Audit Policy set to capture both successful and failed Logon events.  Standard user logon failures are being captured just fine in both the Security Event logs on our DCs and in LEM.  However, failed authentications using the Windows 'Run as Administrator' feature don't seem to be captured anywhere on our DCs and, therefore, in LEM either.  I would think that these types of authentication events would have to be capable of being logged on the DCs if the account being used in the 'Run as' box is a domain account.  We tried setting the Special Logon policy to success and failure as well, but this also failed to capture the events in question.


      Does anyone have experience with this particular issue?  Any help would be greatly appreciated.


      If a workstation was compromised and someone was banging away on an elevated account via the 'Run as' command, it would be nice to be notified with more than just the account lockout event since the account lockout event wouldn't necessarily be from the same device that the failed authentication attempts were from.



        • Re: How to capture failed 'Run as Administrator' events on a Windows domain?

          I ran some tests and I found this:


          2014-03-24 07_40_58-SolarWinds Log and Event Manager Console.png


          I went digging in the Windows Security log for this event, and the description includes this:


          Process Information:

            New Process ID: 0x110c

            New Process Name: C:\Windows\System32\dllhost.exe

            Token Elevation Type: TokenElevationTypeDefault (1)

            Creator Process ID: 0x350


          Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.


          Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.


          Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.


          Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.


          It doesn't appear this is a domain level event, though, so I'm not sure this would be logged anywhere but the local system.

            • Re: How to capture failed 'Run as Administrator' events on a Windows domain?

              Thanks for the response, curtisi.  That would be a great way to capture the events if we had agents on our workstations, which unfortunately, we don't. 


              At some point, the process of elevating privileges through the Run As Administrator feature would have to authenticate to the domain controllers, no?  I must be missing something because I cannot find a logged event of this authentication anywhere on our DCs.  We're running 2008 AD environment and are using Advanced Audit Policy settings as follows:



              Logon-LogoffIPsec Extended ModeNo Auditing
              Logon-LogoffNetwork Policy ServerNo Auditing
              Logon-LogoffIPsec Main ModeNo Auditing
              Logon-LogoffOther Logon/Logoff EventsNo Auditing
              Logon-LogoffSpecial LogonSuccess
              Logon-LogoffLogonSuccess and Failure
              Logon-LogoffAccount LockoutNo Auditing
              Logon-LogoffIPsec Quick ModeNo Auditing
              Account LogonKerberos Service Ticket OperationsNo Auditing
              Account LogonOther Account Logon EventsNo Auditing
              Account LogonCredential ValidationSuccess and Failure
              Account LogonKerberos Authentication ServiceNo Auditing


              We tried setting Logon-Logoff > Special Logon to Success & Failure but that didn't help.  Anyone else have any experience with capturing these events?  Any suggestions?  Thanks a lot!