Does anyone have insight into how MS Audit Policy can be used to capture failed 'Run as Administrator' attempts without having to install LEM agents on all workstations?
I've been attempting to capture these events for a couple days now and can't figure out how or if it can be done. We currently have our Default Domain Controller Audit Policy set to capture both successful and failed Logon events. Standard user logon failures are being captured just fine in both the Security Event logs on our DCs and in LEM. However, failed authentications using the Windows 'Run as Administrator' feature don't seem to be captured anywhere on our DCs and, therefore, in LEM either. I would think that these types of authentication events would have to be capable of being logged on the DCs if the account being used in the 'Run as' box is a domain account. We tried setting the Special Logon policy to success and failure as well, but this also failed to capture the events in question.
Does anyone have experience with this particular issue? Any help would be greatly appreciated.
If a workstation was compromised and someone was banging away on an elevated account via the 'Run as' command, it would be nice to be notified with more than just the account lockout event since the account lockout event wouldn't necessarily be from the same device that the failed authentication attempts were from.
Thanks!