Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN

New Member

We disable User Principal Name Mapping, enable User Name Hints and modify altsecurityidenties attribute with the same PIV properties for multiple user objects, IT privileged, IT less privileged and for assuming a users identity instead of asking for their password or resetting it.

Because we do this, we audit whenever a ticket is granted based on smartcard and whenever anyone edits the altsecurity attribute. We also audit processes so we know what processes were launched by the IT staff member that has assumed an identity.

Even after enabling advanced account management auditing, when a users object altsecurityidentities attribute is modified, there is an event but the event does not contain that attribute. You have to use repadmin to see if that attribute was the one modified.

We also enable advanced Kerberos Authentication Service auditing but the only data that relates to the smartcard certificate is issuer, serial number, and thumbprint. It is not readily apparent whos certificate was used without cross referencing the PIV CA.

Is there a way to add additional attributes to security event ID 4738? Is there a way to get the CN/Subject into Security event ID 4768? We need to be able to tie this all together so that we can be better informed,

Tags (2)
0 Karma

New Member

I've got a good start on 4738 at SO

For additional 4768 data, the original smart card login event, task xml, powershell and ultimate event are below. Similar methods were used for 4738 as posted on SO above. Feel free to make any code contributions in the comments. The code could use some error handling and try catches.

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <TimeCreated SystemTime="2018-05-01T05:01:26.527879000Z" /> 
  <Correlation /> 
  <Execution ProcessID="460" ThreadID="1364" /> 
  <Security /> 
  <Data Name="TargetUserName">havealoha</Data> 
  <Data Name="TargetDomainName"></Data> 
  <Data Name="TargetSid">S-1-5-21-##</Data> 
  <Data Name="ServiceName">krbtgt</Data> 
  <Data Name="ServiceSid">S-1-5-21-##</Data> 
  <Data Name="TicketOptions">0x40810010</Data> 
  <Data Name="Status">0x0</Data> 
  <Data Name="TicketEncryptionType">0x12</Data> 
  <Data Name="PreAuthType">15</Data> 
  <Data Name="IpAddress">::ffff:##</Data> 
  <Data Name="IpPort">35665</Data> 
  <Data Name="CertIssuerName">CONTOSO-CA</Data> 
  <Data Name="CertSerialNumber">##</Data> 
  <Data Name="CertThumbprint">##</Data> 

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="">
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[(EventID=4768)]]
    *[EventData[Data[@Name='PreAuthType'] and (Data='15')]]
    *[EventData[Data[@Name='PreAuthType'] and (Data='16')]]
        <Value name="certIssuerName">Event/EventData/Data[@Name="CertIssuerName"]</Value>
        <Value name="certSerialNumber">Event/EventData/Data[@Name="CertSerialNumber"]</Value>
        <Value name="eventRecordID">Event/System/EventRecordID</Value>
        <Value name="eventTimeCreated">Event/System/TimeCreated/@SystemTime</Value>
        <Value name="targetUserName">Event/EventData/Data[@Name="TargetUserName"]</Value>
    <Principal id="Author">
  <Actions Context="Author">
      <Arguments>C:\Windows\AuditSecurityEventID4768.ps1 -targetUserName $(targetUserName) -eventTimeCreated $(eventTimeCreated) -eventRecordID $(eventRecordID) -certIssuerName $(certIssuerName) -certSerialNumber $(certSerialNumber)</Arguments>

$nl = [Environment]::NewLine
if ($certIssuerName -like "*Contoso-CA*") {
$cert = certutil -view -restrict "Serial Number=$($certSerialNumber)" -out "upn,serialnumber,distinguishedname,commonname" | Select-String "Row 1" -Context 0,5
$cert = $cert -replace "> Row 1:", "Smart Card Certificate Information:"
if ($cert -like "*$($targetUserName)*") {
$entryType = "Information"
else {
$entryType = "Warning"

if ([System.Diagnostics.EventLog]::SourceExists("Contoso Security") -eq $False) {
    New-EventLog –LogName "Application" –Source "Contoso Security"
Write-EventLog -LogName "Application" -Source "Contoso Security" -EntryType $entryType -EventID 64768 -Message "$nl Target User Name: $targetUserName $nl Event Date: $eventTimeCreated $nl Referring Event ID: $eventRecordID $nl $cert"

<Event xmlns="">
  <Provider Name="Contoso Security" /> 
  <EventID Qualifiers="0">64768</EventID> 
  <TimeCreated SystemTime="2018-05-01T05:01:22.000000000Z" /> 
  <Security /> 
  <Data>Target User Name: havealoha Event Date: 2018-05-01T05:01:19.168Z Referring Event ID: 588856789 Smart Card Certificate Information: User Principal Name: "" Serial Number: "##" Issued Distinguished Name: "CN=havealoha, OU=Accounts, DC=contoso, DC=com" Issued Common Name: "havealoha"</Data> 
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...