adeldjama
commented
9 months ago I confirm this bug, my trainees faced same issue this week and we had to enable Audit Process tracking in audit policy
Closed djcmct closed 8 months ago
adeldjama
commented
9 months ago I confirm this bug, my trainees faced same issue this week and we had to enable Audit Process tracking in audit policy
KenMAG
commented
9 months ago Thanks. I will get an update per @adeldjama fix.
arnoldvilleneuve
commented
9 months ago Oct 13 2023, we are seeing 4688 events in the Security log.
The FIX as described above worked for us. Thank you Dave Cooke
KenMAG
commented
9 months ago I'm working on this one today.
KenMAG
commented
9 months ago This is something that Skillable or I need to fix on the WINServer image. Still validating the fix.
KenMAG
commented
9 months ago It was the 2nd setting Dave Cooke added.
KenMAG
commented
8 months ago This should be fixed for all lab hosting providers by next week's classes.
KenMAG
commented
8 months ago This is fxed.
Contact Details
davecooke1967@gmail.com
What happened?
Auditing isn't enabled correctly on WinServer, consequently no 4688 events are being recorded for the Registry change performed in the previous exercise which then causes task 1 detections to fail.
Is this something I need to speak to Skillable about directly or does this change need to be pushed out from here?
Had to enable both Computer Configuration/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Detailed Tracking/Audit Process Creation & Computer Configuration/Administrative Templates/System/Audit Process Creation/Include Command line in process creation events in Local GPO to get the event log to record the events
Lab
Lab 07 Exercise 06 Create Detections
Relevant screenshots
Do you want to help us? 👏