valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fc23f0ca8c
atomic-threat-coverage/logging_policies/LP_0039_windows_audit_kernel_object.yml
yugoslavskiy 68d4929a53 general update: 
- DN calc function updated, fixed incorrect calc for multiple DRs
- updated all LPs with a preparation for a new feature (sucess/fail LP config calculcation per DR/EID)
- all the stuff (md/confluence) has been updated according to changes

updated with a log source sample:

- DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.yml

created:

- DN_0086_4720_user_account_was_created.yml
- DN_0087_5156_windows_filtering_platform_has_permitted_connection.yml
- DN_0088_4616_system_time_was_changed.yml
- DN_0089_56_terminal_server_security_layer_detected_an_error.yml
- DN_0090_50_terminal_server_security_layer_detected_an_error.yml
- LP_0045_windows_audit_filtering_platform_connection.yml
- LP_0046_windows_audit_security_state_change.yml
2019-07-12 06:38:49 +03:00

34 lines
1.3 KiB
YAML
Raw Blame History

title: LP_0039_windows_audit_kernel_object
default: Not configured
volume: High # if auditing access of global system objects is enabled.
description: >
This policy setting allows you to audit attempts to access the kernel,
which include mutexes and semaphores. Only kernel objects with a matching
system access control list (SACL) generate security audit events
eventID:
- 4656 # (S, F): A handle to an object was requested
- 4658 # (S): The handle to an object was closed
- 4660 # (S): An object was deleted
- 4663 # (S): An attempt was made to access an object
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-kernel-object.md
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kernel-object
- https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter7
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Object Access >
Audit Kernel Object (Success)
```
Script to implement logging policy:
```
Auditpol /set /subcategory:"Kernel Object" /success:enable /failure:disable
```
Reference in New Issue View Git Blame Copy Permalink