AuditSpecialGroups

OSquery

Check Special Logon Audit configuration - https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/:

Query

select * from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit'

Additional Query Info

  • Interval: 86400

JSON

{
  "queries": {
    "AuditSpecialGroups": {
      "query": "select * from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit'",
      "interval": "86400",
      "platform": "",
      "version": "",
      "description": "Check Special Logon Audit configuration - https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/",
      "value": ""
    }
  }
}