Blue Team-System Live Analysis [Part 6]- Windows: User Account Forensics-Road Map

Let’s Connect | LinkedIn | Twitter

In part 5, I have shared few techniques to retrieve information related to user accounts, their groups, and privileges.

Digital forensics and incident response are not about obtaining the data only. Profiling the activities, analyzing them, and looking for any evidence of suspicious/malicious activities is a challenging part of the journey.

Collecting data could be much more comfortable in comparison to data analysis and evidence interception. This part presents a road map for user accounts forensics to identify the good, the bad, and the unknown!!

  1. User Account Forensics — The Road Map

The proposed Road Map is designed based on my experience and best practices that I have employed to carry out the number of projects and yet to learn more.

If you can help me make it better, you are most welcome! together we care, together we share, together we win :)

User Account Forensics Roadmap

The road map is divided into three main phases as follows:

  • Data collection and validation: Once the data on user account are collected, we should validate them with network admins or system users where it is applicable. It significantly helps us to identify unknown user account or odd characteristics. The last post discussed the different methods of user account data collection.
  • User categorization and profiling: In this phase, we will categorize the user accounts as they could be used in different stages of a cyber attack.
User Account Attacks mapped with MITRE
  • Deep-dive analysis: Finally, we should conduct an in-depth analysis of each user account to look for Good, Bad, and Unknowns!

Note: It is essential to understand the operational needs, business logic, and standard configuration [baseline] of the targeted system and form a standard system profile to look for any deviation accordingly.

2. User Account Categories

The user accounts on a system can be categorized as follows:

  • Valid Users with Valid Groups and permissions: These are legitimate user account created by network admin or system users. We can’t simply assume these accounts are safe as cybercriminals might misuse them.
  • Valid Users with odd groups and permissions: However, this group of accounts is still legitimate, but the group that they are assigned to or the privileges they have may not be what supposed to be. For instance, a cybercriminal may abuse a valid user’s credentials to gain access or modify the privileges to carry out malicious activities.
  • Newly Created Users [Unknowns]: As the name suggests, these users are unknown and can’t be verified and validated by the system user or IT team. Creating new accounts upon initial access is a common technique used by attackers. Thus, they are tagged as a high risk.
  • Missing Users!: We are mostly thinking of how hackers may misuse valid user accounts; however, they may also delete, disable or limit the account to interrupt legitimate accesses.

3. User accounts at a glance

Let's use the wmic command explained in the last part to obtain the list of user accounts in a test system and intercept the findings.

wmic useraccount get name, accounttype, sid, status

Account Type:

As shown in the figure above, we have 6 local user accounts, all with type 512 representing a typical user account. It indicates only local user accounts exist in this system; thus, if the system used to be part of a domain, we have to tag it as abnormal and do further investigations.

SID and RID:

The first step in user account analysis is to know the well-known security identifiers (SID) in Windows operating systems, especially the RIDs. RID or Relative Identifier is the last segment of a SID and is unique for each user account.

There are two types of RIDs on the target systems, such as 5XX and 1XXX. Windows reserves RIDs less than 1000 for special accounts. Based on the well-known SID list, users with RIDs of 500, 501, and 503 are expected in our test machine.

S-1–5–21-<machine>-500 : Administrator
S-1–5–21-<machine>-501 : Guest
S-1–5–21-<machine>-503 : DefaultAccount
S-1-5-21-<machine>-504 : WDAGUtilityAccount

The user account with RID 504 is not on the well-known list; however, a simple search shows that this user account used by the system for Windows Defender Application Guard.

Tip: why the RID of 502 is missing? Because it’s for Kerberos tickets in the active directory! As the target machine is not part of any domain, so it’s normal!

Let’s focus on the RIDs in the range of 1XXX; windows allocate the RID to entities starting at 1000. well, we have only two user accounts with RIDs 1001 and 1002 as following:

S-1–5–21-<machine>-1001 : Cyfohub
S-1–5–21-<machine>-1005 : sechub

Why are the RIDs 1001 and 1005? What happened to 1000? How about 1002, 1003, and 1004? it’s an excellent question! We will dive deep into it in the next post.


This is the current status of the user accounts. The value for the accounts with RIDs 5XX is Degraded [disabled]. In a normal situation, all of these accounts are disabled for better security. So nothing is wrong with our test system.

During the investigation, if we noticed any of these accounts are enabled, specially build-in administrator and Guest, we must put them in suspicious status to do further analysis. We can use the event ID 4722 to check when a user is enabled and by who!

wevtutil qe security /f:text “/q:*[System[(EventID=4722)]]”

The above result shows that the user sechub [Target Account]was enabled by Cyfohub [Subject] on 15 of March 2021.

Note: Logs are logs, and there will be nothing if they are not enabled! To use the windows events and logs as a precious source of data for investigation, we should ensure they are enabled. For instance, we need to enable “Audit account management” for all the information related to user accounts.

Computer Configuration > Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management: Audit User Account Management → Define → Success and Failures

4. What’s Next!

So far, we have listed the existing local user accounts in the test system, we have analyzed the Type, RIDs, and Statuses. The next post will explain more on user account profiling to understand:

· When were users created?

· Who created the users!

· When users assigned to a specific group and by who?

. Is there any hidden user account? who hides them and when?

· In case of any deleted user account, who deleted them and when!

Stay safe and tuned….

by Meisam Eslahi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store