fixed issue #99

data_needed/DN_0082_8002_ntlm_server_blocked_audit.yml

@@ -0,0 +1,49 @@
+title: DN_0082_8002_ntlm_server_blocked_audit
+description: >
+  NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. Actually it's just event about NTLM authentication, it doesn't necessary supposed to be blocked. Blocked NTLM auth is the same provider but Event ID 4002
+loggingpolicy:
+  - LP_0044_windows_ntlm_audit
+references:
+  - https://twitter.com/JohnLaTwC/status/1004895902010507266
+category: OS Logs
+platform: Windows
+type: Applications and Services Logs
+channel: Microsoft-Windows-NTLM/Operational
+provider: Microsoft-Windows-NTLM
+fields:
+  - EventID
+  - Hostname # redundant
+  - Computer
+  - CallerPID
+  - ProcessName
+  - ClientLUID
+  - ClientUserName
+  - ClientDomainName
+  - MechanismOID
+sample: |
+  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+    - <System>
+        <Provider Name="Microsoft-Windows-NTLM" Guid="{AC43300D-5FCC-4800-8E99-1BD3F85F0320}" /> 
+        <EventID>8002</EventID> 
+        <Version>0</Version> 
+        <Level>4</Level> 
+        <Task>2</Task> 
+        <Opcode>0</Opcode> 
+        <Keywords>0x8000000000000000</Keywords> 
+        <TimeCreated SystemTime="2019-03-02T23:00:00.746139000Z" /> 
+        <EventRecordID>12</EventRecordID> 
+        <Correlation /> 
+        <Execution ProcessID="468" ThreadID="2660" /> 
+        <Channel>Microsoft-Windows-NTLM/Operational</Channel> 
+        <Computer>dc.yugoslavskiy.local</Computer> 
+        <Security UserID="S-1-5-18" /> 
+      </System>
+    - <EventData>
+        <Data Name="CallerPID">4</Data> 
+        <Data Name="ProcessName" /> 
+        <Data Name="ClientLUID">0x3e7</Data> 
+        <Data Name="ClientUserName">DC$</Data> 
+        <Data Name="ClientDomainName">atc</Data> 
+      <Data Name="MechanismOID">1.3.6.1.4.1.311.2.2.10</Data> 
+      </EventData>
+    </Event>

logging_policies/LP_0044_windows_ntlm_audit.yml

@@ -0,0 +1,32 @@
+title: LP_0044_windows_ntlm_audit
+default: Not configured
+volume: High # depends on configuration and NTLM use in domain
+description: >
+  This is combined audit policy, consist of 3 policies under "Network security: 
+  Restrict NTLM" — Audit NTLM authentication in this domain, Audit Incoming NTLM Traffic, 
+  Outgoing NTLM traffic to remote servers. It will provide visibility on 
+  NTLM authentication attempts. This policy is only about auditing events,
+  it will not disable NTLM authentication itself. 
+eventID:
+  - 8001 # NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked
+  - 8002 # NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
+  - 8003 # NTLM server blocked in the domain audit: Audit NTLM authentication in this domain
+  - 8004 # no details. todo
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
+configuration: |
+  Steps to implement logging policy with Group Policies:
+  ```
+  Computer Configuratoin ->
+  Policies ->
+  Windows Settings ->
+  Security Settings ->
+  Local Policies ->
+  Security Options:
+
+  - Network security: Restrict NTLM: Audit NTLM authentication in this domain: Enable all
+  - Network security: Restrict NTLM: Audit Incoming NTLM Traffic: Enable audit for all accounts
+  - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Policy Setting: Audit all
+  ```