Windows Event ID 4714 – Microsoft-Windows-Security-Auditing: System Security Access Control List Was Changed

Start by examining the specific details of the Event ID 4714 occurrence to understand what changed and who initiated it.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4714 by right-clicking the Security log and selecting Filter Current Log
4. Enter 4714 in the Event IDs field and click OK
5. Double-click on a recent Event ID 4714 entry to view details
6. Examine the General tab for basic information and the Details tab for XML data
7. Note the Subject fields showing who made the change and the Object fields showing what was modified

Use PowerShell for more efficient filtering:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4714} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Compare the current audit policy settings with your baseline to identify what specific changes were made.

1. Open an elevated Command Prompt or PowerShell session
2. Run the audit policy query command to see current settings:

auditpol /get /category:*

3. For more detailed subcategory information:

auditpol /get /subcategory:* /r

4. Export current audit policy for documentation:

auditpol /backup /file:C:\temp\current_audit_policy.csv

5. Compare with a known good baseline policy if available
6. Check Group Policy settings that might have triggered the change:

gpresult /h C:\temp\gpresult.html

7. Review the generated HTML report for audit policy settings under Computer Configuration

Use PowerShell to perform detailed analysis of Event ID 4714 occurrences and correlate them with other security events.

1. Create a comprehensive query to analyze patterns:

$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4714; StartTime=(Get-Date).AddDays(-7)}
$Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        SubjectDomainName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
        CategoryId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'CategoryId'} | Select-Object -ExpandProperty '#text'
        SubcategoryId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubcategoryId'} | Select-Object -ExpandProperty '#text'
    }
} | Format-Table -AutoSize

2. Look for correlating events around the same time:

$TimeWindow = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4719,4817,4902,4904,4905); StartTime=$TimeWindow} | Format-Table TimeCreated, Id, Message -Wrap

3. Check for Group Policy processing events:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=@(1500,1501,1502)} -MaxEvents 10 | Format-Table TimeCreated, Id, Message -Wrap

Examine the registry locations where audit policy settings are stored to understand the technical details of the changes.

1. Open Registry Editor as Administrator (regedit.exe)
2. Navigate to the primary audit policy location:

HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv

3. Check the advanced audit policy settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit

4. Use PowerShell to query audit-related registry values:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Audit" | Format-List

5. Check for Group Policy-applied audit settings:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -ErrorAction SilentlyContinue | Format-List

6. Monitor registry changes in real-time using Process Monitor (ProcMon):
7. Download ProcMon from Microsoft Sysinternals
8. Set filters for Process Name contains "lsass.exe" and Path contains "Audit"
9. Reproduce the audit policy change to see registry modifications

Implement comprehensive monitoring and automated response for Event ID 4714 in enterprise environments.

1. Configure Windows Event Forwarding (WEF) to centralize Event ID 4714:

# On collector server
wecutil cs subscription.xml

# Create subscription.xml with Event ID 4714 filter
$SubscriptionXML = @"

    AuditPolicyChanges
    SourceInitiated
    Monitor audit policy changes
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Normal
    
            
                *[System[EventID=4714]]
            
        
    ]]>

"@
$SubscriptionXML | Out-File -FilePath "C:\temp\audit_subscription.xml" -Encoding UTF8

2. Create PowerShell script for automated analysis:

# Monitor-AuditChanges.ps1
param(
    [int]$Hours = 24
)

$StartTime = (Get-Date).AddHours(-$Hours)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4714; StartTime=$StartTime}

foreach ($Event in $Events) {
    $xml = [xml]$Event.ToXml()
    $UserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $Domain = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
    
    # Send alert if change made by non-admin account
    if ($UserName -notmatch "admin|service") {
        Write-Warning "Suspicious audit policy change by $Domain\$UserName at $($Event.TimeCreated)"
        # Add SIEM integration here
    }
}

3. Set up scheduled task to run the monitoring script:

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-AuditChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "09:00AM"
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "MonitorAuditChanges" -Action $Action -Trigger $Trigger -Principal $Principal