Home

Awesome

Windows-auditing-baseline

Project goal

Defining a security audit baseline is a very challenging project, no matter the size of your organization. Indeed, it requires a very good understanding about event logging, knowledge about the value of each event, TTPs event relation and logging activation impact awareness. In order to address this challenge, Windows-auditing-baseline project was created. It provides a complete end-to-end toolset that can be applied to any Active Directory environment in order to enable advanced threat detection capacities with a minimum of effort.

Activation steps overview

At the following you will find the different steps to configure in your environment. We advised to create 3 group policies (domain controllers, member servers and workstations) for security, granularity and flexibility purposes. In detail, the following steps will be covered:

1-Auditing baseline

The security auditing baseline is defined in the following document. It highlights the different subcategories to audit (success and/or failure) together with the related MITRE TTPs that it can cover (if applicable). We recommend to evaluate your internal auditing requirements and to adjust the group policy templates accordingly. We also recommend to apply additional steps from Palantir for PowerShell auditing, command line auditing and WinRM client.

2-Group policy templates

[WORK IN PROGRESS]

2.1-Disabled event logs

This step is already performed in the group policy templates. Windows operating system is provided with several event logs that, despite of being disabled, can provide valuable information. The table at the following resumes these events logs together with the advised action to perform.

Activation

To enable a disabled event log, edit the following registry key using the Group Policy Preferences (GPP) feature on the concerned Group Policy object (DC, SRV, WS) for the event log mentioned at the following:

Event logs list

Event log nameCategoryTTP IDTTP name
Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainControllerAuthenticationT1110Brutforce
Microsoft-Windows-Authentication/ProtectedUser-ClientAuthenticationT1078Valid accounts
Microsoft-Windows-Authentication/ProtectedUserFailures-DomainControllerAuthenticationT1110Brutforce
Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainControllerAuthenticationT1558Steal or Forge Kerberos Tickets
Microsoft-Windows-CAPI2/OperationalCryptoT1552.004Unsecured Credentials-Private Keys
Microsoft-Windows-Crypto-NCrypt/OperationalCrypto
Microsoft-Windows-Dhcp-Client/OperationalDHCP client
DhcpAdminEventsDHCP server
Microsoft-Windows-DhcpNap/OperationalDHCP server
Microsoft-Windows-DriverFrameworks-UserMode/OperationalDriversT1091Replication Through Removable Media
Microsoft-Windows-PrintService/OperationalPrinterT1574.002Hijack Execution Flow: DLL Side-Loading
Microsoft-Windows-Base-Filtering-Engine-Connections/OperationalVPN server
Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/OperationalVPN server
Microsoft-Windows-IphlpsvcVPN server
Microsoft-Windows-WinNat/OperVPN server
Microsoft-IIS-Configuration/AdministrativeWeb server
Microsoft-IIS-Configuration/OperationalWeb server

2.2-Log sizing

This step is already performed in the group policy templates. Windows event logs are per default defined with a very limited size (between 15 and 20 MB). Having such limited size introduce the risk of data being overwritten and not collected in the case of, for example, limited connectivity due to network outage, VPN unreachable … Therefore we advise to increase the size for the following event logs:

3. Agent configuration

Once the auditing baseline is in place and proper events and/or channels are activated, it may be necessary to configure your agent or agent-less solution to forward logs to a SIEM or a central collector. At the following you will find two configuration templates in order to enable log forwarding to the choosen destination:

Sources

The following sources were used to elaborate the auditing baseline: