valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

new dn and lp

Browse Source
This commit is contained in:
yugoslavskiy 2019-04-22 05:18:31 +02:00
parent 81c1550760
commit 69dbd5bd88
30 changed files with 1374 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
data_needed/DN_0025_1102_the_audit_log_was_cleared.yml
View File

@ -1,6 +1,7 @@
title: DN_0038_1102_the_audit_log_was_cleared
description: >
Event 1102 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy.
Event 1102 is logged whenever the Security log is cleared,
REGARDLESS of the status of the Audit System Events audit policy
loggingpolicy:
- none
references:
@ -13,7 +14,7 @@ channel: Security
provider: Microsoft-Windows-Eventlog
fields:
- EventID
- Hostname # redundant
- Hostname # redundant
- Computer
- SubjectUserSid
- SubjectUserName

47
data_needed/DN_0050_1102_audit_log_was_cleared.yml Normal file
View File

@ -0,0 +1,47 @@
title: DN_0050_1102_audit_log_was_cleared
description: >
This event generates every time Windows Security audit log was cleared
loggingpolicy:
- None
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Eventlog
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" />
<EventRecordID>1087729</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="2644" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid>
<SubjectUserName>dadmin</SubjectUserName>
<SubjectDomainName>CONTOSO</SubjectDomainName>
<SubjectLogonId>0x55cd1d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>

76
data_needed/DN_0057_4625_account_failed_to_logon.yml
View File

@ -39,42 +39,42 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>

78
data_needed/DN_0058_4656_handle_to_an_object_was_requested.yml Normal file
View File

@ -0,0 +1,78 @@
title: DN_0058_4656_handle_to_an_object_was_requested
description: >
This event indicates that specific access was requested for an object.
The object could be a file system, kernel, or registry object, or a file
system object on removable storage or a device. If access was declined,
a Failure event is generated. This event generates only if the objects
SACL has the required ACE to handle the use of specific access rights
loggingpolicy:
- LP_0104_windows_audit_removable_storage
- LP_0039_windows_audit_kernel_object
- LP_0102_windows_audit_file_system
- LP_0103_windows_audit_registry
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- ObjectType
- ObjectName
- HandleId
- TransactionId
- AccessList
- AccessReason
- AccessMask
- PrivilegeList
- RestrictedSidCount
- ProcessId
- ProcessName
- ResourceAttributes
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

67
data_needed/DN_0059_4657_registry_value_was_modified.yml Normal file
View File

@ -0,0 +1,67 @@
title: DN_0059_4657_registry_value_was_modified
description: >
This event generates when a registry key value was modified. It doesn't generate
when a registry key was modified. This event generates only if "Set Value" auditing
is set in registry keys SACL
loggingpolicy:
- LP_0103_windows_audit_registry
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectName
- ObjectValueName
- HandleId
- OperationType
- OldValueType
- OldValue
- NewValueType
- NewValue
- ProcessId
- ProcessName
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" />
<EventRecordID>744725</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4824" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="HandleId">0x54</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>

63
data_needed/DN_0060_4658_handle_to_an_object_was_closed.yml Normal file
View File

@ -0,0 +1,63 @@
title: DN_0060_4658_handle_to_an_object_was_closed
description: >
This event generates when the handle to an object is closed. The object
could be a file system, kernel, or registry object, or a file system
object on removable storage or a device. This event generates only if
Success auditing is enabled for Audit Handle Manipulation subcategory.
Typically this event is needed if you need to know how long the handle
to the object was open. Otherwise, it might not have any security
relevance
loggingpolicy:
- LP_0102_windows_audit_file_system
- LP_0042_windows_audit_handle_manipulation
- LP_0039_windows_audit_kernel_object
- LP_0103_windows_audit_registry
- LP_0104_windows_audit_removable_storage
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- HandleId
- ProcessId
- ProcessName
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>

65
data_needed/DN_0061_4660_object_was_deleted.yml Normal file
View File

@ -0,0 +1,65 @@
title: DN_0061_4660_object_was_deleted
description: >
This event generates when an object was deleted. The object could be a
file system, kernel, or registry object. This event generates only if
"Delete" auditing is set in objects SACL. This event doesnt contain
the name of the deleted object (only the Handle ID). It is better to
use "4663(S): An attempt was made to access an object" with DELETE
access to track object deletion. The advantage of this event is that
its generated only during real delete operations. In contrast,
"4663(S): An attempt was made to access an object" also generates
during other actions, such as object renaming
loggingpolicy:
- LP_0102_windows_audit_file_system
- LP_0039_windows_audit_kernel_object
- LP_0103_windows_audit_registry
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- HandleId
- ProcessId
- ProcessName
- TransactionId
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>

72
data_needed/DN_0062_4663_attempt_was_made_to_access_an_object.yml Normal file
View File

@ -0,0 +1,72 @@
title: DN_0062_4663_attempt_was_made_to_access_an_object
description: >
This event indicates that a specific operation was performed on an object.
The object could be a file system, kernel, or registry object, or a file
system object on removable storage or a device. This event generates only
if objects SACL has required ACE to handle specific access right use.
The main difference with "4656: A handle to an object was requested."
event is that 4663 shows that access right was used instead of just
requested and 4663 doesnt have Failure events
loggingpolicy:
- LP_0102_windows_audit_file_system
- LP_0039_windows_audit_kernel_object
- LP_0103_windows_audit_registry
- LP_0104_windows_audit_removable_storage
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- ObjectType
- ObjectName
- HandleId
- AccessList
- AccessMask
- ProcessId
- ProcessName
- ResourceAttributes
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

49
data_needed/DN_0064_4698_scheduled_task_was_create.yml Normal file
View File

@ -0,0 +1,49 @@
title: DN_0064_4698_scheduled_task_was_create
description: >
This event generates every time a new scheduled task is created
loggingpolicy:
- LP_0041_windows_audit_other_object_access_events
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TaskName
- TaskContent
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" />
<EventRecordID>344740</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

48
data_needed/DN_0065_4701_scheduled_task_was_disabled.yml Normal file
View File

@ -0,0 +1,48 @@
title: DN_0065_4701_scheduled_task_was_disabled
description: This event generates every time a scheduled task is disabled
loggingpolicy:
- LP_0041_windows_audit_other_object_access_events
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TaskName
- TaskContent
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4701</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" />
<EventRecordID>344860</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4364" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

51
data_needed/DN_0066_4704_user_right_was_assigned.yml Normal file
View File

@ -0,0 +1,51 @@
title: DN_0066_4704_user_right_was_assigned
description: >
This event generates every time local user right policy is changed and
user right was assigned to an account. You will see unique event for
every user
loggingpolicy:
- LP_0105_windows_audit_authorization_policy_change
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- TargetSid
- PrivilegeList
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4704</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T22:08:07.136050600Z" />
<EventRecordID>1049866</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1216" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="PrivilegeList">SeAuditPrivilege SeIncreaseWorkingSetPrivilege</Data>
</EventData>
</Event>

55
data_needed/DN_0067_4719_system_audit_policy_was_changed.yml Normal file
View File

@ -0,0 +1,55 @@
title: DN_0067_4719_system_audit_policy_was_changed
description: >
This event generates when the computer's audit policy changes.
This event is always logged regardless of the "Audit Policy Change"
sub-category setting
loggingpolicy:
- None
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- CategoryId
- SubcategoryId
- SubcategoryGuid
- AuditPolicyChanges
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4719</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T19:57:09.668217100Z" />
<EventRecordID>1049418</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4668" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CategoryId">%%8274</Data>
<Data Name="SubcategoryId">%%12807</Data>
<Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
</EventData>
</Event>

59
data_needed/DN_0069_4732_member_was_added_to_security_enabled_local_group.yml Normal file
View File

@ -0,0 +1,59 @@
title: DN_0069_4732_member_was_added_to_security_enabled_local_group
description: >
This event generates every time a new member was added to a
security-enabled (security) local group. This event generates
on domain controllers, member servers, and workstations
loggingpolicy:
- LP_0101_windows_audit_security_group_management
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- MemberName
- MemberSid
- TargetUserName
- TargetDomainName
- TargetSid
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- PrivilegeList
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" />
<EventRecordID>174856</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

58
data_needed/DN_0070_4735_security_enabled_local_group_was_changed.yml Normal file
View File

@ -0,0 +1,58 @@
title: DN_0070_4735_security_enabled_local_group_was_changed
description: >
This event generates every time a security-enabled (security) local group is changed.
This event generates on domain controllers, member servers, and workstations
loggingpolicy:
- LP_0101_windows_audit_security_group_management
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- TargetUserName
- TargetDomainName
- TargetSid
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- PrivilegeList
- SamAccountName
- SidHistory
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4735</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" />
<EventRecordID>174850</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators\_NEW</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators\_NEW</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>

68
data_needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.yml Normal file
View File

@ -0,0 +1,68 @@
title: DN_0076_4768_kerberos_authentication_ticket_was_requested
description: >
This event generates every time Key Distribution Center issues a
Kerberos Ticket Granting Ticket (TGT). This event generates only
on domain controllers. If TGT issue fails then you will see
Failure event with Result Code field not equal to "0x0"
loggingpolicy:
- LP_0038_windows_audit_kerberos_authentication_service
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- TargetUserName
- TargetDomainName
- TargetSid
- ServiceName
- ServiceSid
- TicketOptions
- Status
- TicketEncryptionType
- PreAuthType
- IpAddress
- IpPort
- CertIssuerName
- CertSerialNumber
- CertThumbprint
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" />
<EventRecordID>166747</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49273</Data>
<Data Name="CertIssuerName">contoso-DC01-CA-1</Data>
<Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>
<Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>
</EventData>
</Event>

61
data_needed/DN_0077_4769_kerberos_service_ticket_was_requested.yml Normal file
View File

@ -0,0 +1,61 @@
title: DN_0077_4769_kerberos_service_ticket_was_requested
description: >
This event generates every time Key Distribution Center gets a Kerberos Ticket Granting
Service (TGS) ticket request. This event generates only on domain controllers. If TGS
issue fails then you will see Failure event with Failure Code field not equal to "0x0"
loggingpolicy:
- LP_0106_windows_audit_kerberos_service_ticket_operations
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- TargetUserName
- TargetDomainName
- ServiceName
- ServiceSid
- TicketOptions
- TicketEncryptionType
- IpAddress
- IpPort
- Status
- LogonGuid
- TransmittedServices
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
<EventRecordID>166746</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49272</Data>
<Data Name="Status">0x0</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>

65
data_needed/DN_0078_4771_kerberos_pre_authentication_failed.yml Normal file
View File

@ -0,0 +1,65 @@
title: DN_0078_4771_kerberos_pre_authentication_failed
description: >
This event generates every time the Key Distribution Center fails
to issue a Kerberos Ticket Granting Ticket (TGT). This can occur
when a domain controller doesnt have a certificate installed for
smart card authentication (for example, with a "Domain Controller"
or "Domain Controller Authentication" template), the users password
has expired, or the wrong password was provided. This event
generates only on domain controllers
loggingpolicy:
- LP_0038_windows_audit_kerberos_authentication_service
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- TargetUserName
- TargetSid
- ServiceName
- TicketOptions
- Status
- PreAuthType
- IpAddress
- IpPort
- CertIssuerName
- CertSerialNumber
- CertThumbprint
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" />
<EventRecordID>166708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49254</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>

49
data_needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.yml Normal file
View File

@ -0,0 +1,49 @@
title: DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account
description: >
This event generates every time that a credential validation occurs
using NTLM authentication. This event occurs only on the computer
that is authoritative for the provided credentials. For domain
accounts, the domain controller is authoritative. For local accounts,
the local computer is authoritative
loggingpolicy:
- LP_0107_windows_audit_credential_validation
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- PackageName
- TargetUserName
- Workstation
- Status
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" />
<EventRecordID>165437</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="Workstation">WIN81</Data>
<Data Name="Status">0xc0000234</Data>
</EventData>
</Event>

42
logging_policies/LP_0037_windows_audit_audit_policy_change.yml Normal file
View File

@ -0,0 +1,42 @@
title: LP_0037_windows_audit_audit_policy_change
default: Partially (Success)
volume: Low
description: >
This policy determines whether the operating system generates
audit events when changes are made to audit policy
eventID:
- 4902 #(S): The Per-user audit policy table was created
- 4907 #(S): Auditing settings on object were changed
- 4904 #(S): An attempt was made to register a security event source
- 4905 #(S): An attempt was made to unregister a security event source
- 4715 #(S): (policy is not needed) The audit policy (SACL) on an object was changed
- 4719 #(S): (policy is not needed) System audit policy was changed
- 4817 #(S): (policy is not needed) Auditing settings on object were changed
- 4902 #(S): (policy is not needed) The Per-user audit policy table was created
- 4906 #(S): (policy is not needed) The CrashOnAuditFail value has changed
- 4907 #(S): (policy is not needed) Auditing settings on object were changed
- 4908 #(S): (policy is not needed) Special Groups Logon table modified
- 4912 #(S): (policy is not needed) Per User Audit Policy was changed
- 4904 #(S): (policy is not needed) An attempt was made to register a security event source
- 4905 #(S): (policy is not needed) An attempt was made to unregister a security event source
references:
- https://technet.microsoft.com/en-us/library/dn319116(v=ws.11).aspx
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-audit-policy-change.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Policy Change >
Audit Audit Policy Change (Success,Failure)
```
Script to implement logging policy:
```
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
```

32
logging_policies/LP_0038_windows_audit_kerberos_authentication_service.yml Normal file
View File

@ -0,0 +1,32 @@
title: LP_0038_windows_audit_kerberos_authentication_service
default: Partially (Other) # Success on Servers. Not enabled on clients
volume: High # on Kerberos Key Distribution Center servers
description: >
Audit Kerberos Authentication Service determines whether to generate
audit events for Kerberos authentication ticket-granting ticket (TGT) requests
eventID:
- 4768 # (S, F): A Kerberos authentication ticket (TGT) was requested
- 4771 # (F): Kerberos pre-authentication failed
- 4772 # (F): A Kerberos authentication ticket request failed
references:
- https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4#KAS
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Account Logon >
Audit Kerberos Authentication Service (Success,Failure)
```
Script to implement logging policy:
```
Auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
```

34
logging_policies/LP_0039_windows_audit_kernel_object.yml Normal file
View File

@ -0,0 +1,34 @@
title: LP_0039_windows_audit_kernel_object
default: Not configured
volume: High # if auditing access of global system objects is enabled.
description: >
This policy setting allows you to audit attempts to access the kernel,
which include mutexes and semaphores. Only kernel objects with a matching
system access control list (SACL) generate security audit events
eventID:
- 4656 #(S, F): A handle to an object was requested
- 4658 #(S): The handle to an object was closed
- 4660 #(S): An object was deleted
- 4663 #(S): An attempt was made to access an object
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kernel-object.md
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kernel-object
- https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Object Access >
Audit Kernel Object (Success)
```
Script to implement logging policy:
```
Auditpol /set /subcategory:"Kernel Object" /success:enable /failure:disable
```

40
logging_policies/LP_0041_windows_audit_other_object_access_events.yml Normal file
View File

@ -0,0 +1,40 @@
title: LP_0041_windows_audit_other_object_access_events
default: Not configured
volume: Medium
description: >
This security policy setting determines whether the operating system generates
audit events for the management of Task Scheduler jobs or COM+ objects
eventID:
- 4671 #(-): An application attempted to access a blocked ordinal through the TBS
- 4691 #(S): Indirect access to an object was requested
- 5148 #(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded
- 5149 #(F): The DoS attack has subsided and normal processing is being resumed
- 4698 #(S): A scheduled task was created
- 4699 #(S): A scheduled task was deleted
- 4700 #(S): A scheduled task was enabled
- 4701 #(S): A scheduled task was disabled
- 4702 #(S): A scheduled task was updated
- 5888 #(S): An object in the COM+ Catalog was modified
- 5889 #(S): An object was deleted from the COM+ Catalog
- 5890 #(S): An object was added to the COM+ Catalog
references:
- https://technet.microsoft.com/en-us/library/dd772744(v=ws.10).aspx
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-other-object-access-events.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Audit Policy Configuration >
Audit Policies >
Object Access >
Audit Other Object Access Events (Success)
```
Script to implement logging policy:
```
Auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:disable
```

30
logging_policies/LP_0042_windows_audit_handle_manipulation.yml Normal file
View File

@ -0,0 +1,30 @@
title: LP_0042_windows_audit_handle_manipulation
default: Not configured
volume: High # depending on how SACLs are configured
description: >
This security policy setting determines whether the operating system
generates audit events when a handle to an object is opened or closed.
Policy to enable smb share access logon events logging
eventID:
- 4658 #(S): The handle to an object was closed
- 4690 #(S): An attempt was made to duplicate a handle to an object
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-handle-manipulation.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Audit Policy Configuration >
Audit Policies >
Object Access >
Audit Handle Manipulation (Success,Failure)
```
Script to implement logging policy:
```
Auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
```

29
logging_policies/LP_0101_windows_audit_security_group_management.yml Normal file
View File

@ -0,0 +1,29 @@
title: LP_0101_windows_audit_security_group_management
default: Partially (Success)
volume: Low
description: >
Audit Security Group Management determines whether the operating system
generates audit events when specific security group management tasks are
performed
eventID:
- 4731 #(S): A security-enabled local group was created.
- 4732 #(S): A member was added to a security-enabled local group.
- 4733 #(S): A member was removed from a security-enabled local group.
- 4734 #(S): A security-enabled local group was deleted.
- 4735 #(S): A security-enabled local group was changed.
- 4764 #(S): A groups type was changed.
- 4799 #(S): A security-enabled local group membership was enumerated.
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/e7d434a47116a0b49fed43e652a07031d8249ae2/windows/security/threat-protection/auditing/audit-security-group-management.md
configuration: |
Steps to implement logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Account Management >
Audit Security Group Management (Success,Failure)
```

28
logging_policies/LP_0102_windows_audit_file_system.yml Normal file
View File

@ -0,0 +1,28 @@
title: LP_0102_windows_audit_file_system
default: Not configured # Not configured | Partially (Success) | Partially (Failure) | Partially (Other) | Configured
volume: Low # Low | Medium | High | Extremely High
description: >
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects
eventID:
- 4656 #(S, F): A handle to an object was requested
- 4658 #(S): The handle to an object was closed
- 4660 #(S): An object was deleted
- 4663 #(S): An attempt was made to access an object
- 4664 #(S): An attempt was made to create a hard link
- 4985 #(S): The state of a transaction has changed
- 5051 #(-): A file was virtualized
- 4670 #(S): Permissions on an object were changed
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-file-system.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Audit Policy Configuration >
Audit Policies >
Object Access >
Audit File system (Success, Failure)
```

35
logging_policies/LP_0103_windows_audit_registry.yml Normal file
View File

@ -0,0 +1,35 @@
title: LP_0103_windows_audit_registry
default: Not configured
volume: Medium # depending on how SACLs are configured
description: >
Audit Registry allows you to audit attempts to access registry objects.
A security audit event is generated only for objects that have system access
control lists (SACLs) specified, and only if the type of access requested, such
as Read, Write, or Modify, and the account making the request match the
settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account
successfully accesses a registry object that has a matching SACL. If failure auditing
is enabled, an audit entry is generated each time any user unsuccessfully attempts
to access a registry object that has a matching SACL
eventID:
- 4663 #(S): An attempt was made to access an object
- 4656 #(S, F): A handle to an object was requested
- 4658 #(S): The handle to an object was closed
- 4660 #(S): An object was deleted
- 4657 #(S): A registry value was modified
- 5039 #(-): A registry key was virtualized
- 4670 #(S): Permissions on an object were changed
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-registry.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Audit Policy Configuration >
Audit Policies >
Object Access >
Audit Registry (Success, Failure)
```

26
logging_policies/LP_0104_windows_audit_removable_storage.yml Normal file
View File

@ -0,0 +1,26 @@
title: LP_0104_windows_audit_removable_storage
default: Configured
volume: Medium # depends on use
description: >
Audit Removable Storage allows you to audit user attempts to access file
system objects on a removable storage device. A security audit event is
generated for all objects and all types of access requested, with no
dependency on objects SACL
eventID:
- 4656 #(S, F): A handle to an object was requested
- 4658 #(S): The handle to an object was closed
- 4663 #(S): An attempt was made to access an object
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-removable-storage.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Object Access >
Audit Removable Storage (Success, Failure)
```

29
logging_policies/LP_0105_windows_audit_authorization_policy_change.yml Normal file
View File

@ -0,0 +1,29 @@
title: LP_0105_windows_audit_authorization_policy_change
default: Not configured
volume: Low
description: >
Audit Authorization Policy Change allows you to audit assignment and removal
of user rights in user right policies, changes in security token object
permission, resource attributes changes and Central Access Policy changes
for file system objects
eventID:
- 4703 #(S): A user right was adjusted
- 4704 #(S): A user right was assigned
- 4705 #(S): A user right was removed
- 4670 #(S): Permissions on an object were changed
- 4911 #(S): Resource attributes of the object were changed
- 4913 #(S): Central Access Policy on the object was changed
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Audit Policy Configuration >
Audit Policies >
Policy Change >
Audit Authorization Policy Change (Success,Failure)
```

27
logging_policies/LP_0106_windows_audit_kerberos_service_ticket_operations.yml Normal file
View File

@ -0,0 +1,27 @@
title: LP_0106_windows_audit_kerberos_service_ticket_operations
default: Partially (Other) # Success on Servers. Not enabled on clients
volume: Extremely High # on Kerberos Key Distribution Center servers
description: >
Audit Kerberos Service Ticket Operations determines whether the operating
system generates security audit events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who
wants to access a protected network resource. Kerberos service ticket
operation audit events can be used to track user activity
eventID:
- 4769 #(S, F): A Kerberos service ticket was requested
- 4770 #(S): A Kerberos service ticket was renewed
- 4773 #(F): A Kerberos service ticket request failed
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Account Logon >
Audit Kerberos Service Ticket Operations (Success,Failure)
```

26
logging_policies/LP_0107_windows_audit_credential_validation.yml Normal file
View File

@ -0,0 +1,26 @@
title: LP_0107_windows_audit_credential_validation
default: Configured
volume: High # on domain controllers. Low on member servers and workstations.
description: >
Audit Credential Validation determines whether the operating system
generates audit events on credentials that are submitted for a user
account logon request
eventID:
- 4774 #(S, F): An account was mapped for logon
- 4775 #(F): An account could not be mapped for logon
- 4776 #(S, F): The computer attempted to validate the credentials for an account
- 4777 #(F): The domain controller failed to validate the credentials for an account
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-credential-validation.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Account Logon >
Audit Credential Validation (Success,Failure)
```