Closed djcmct closed 8 months ago
I confirm this bug, my trainees faced same issue this week and we had to enable Audit Process tracking in audit policy
Thanks. I will get an update per @adeldjama fix.
Oct 13 2023, we are seeing 4688 events in the Security log.
The FIX as described above worked for us. Thank you Dave Cooke
I'm working on this one today.
This is something that Skillable or I need to fix on the WINServer image. Still validating the fix.
It was the 2nd setting Dave Cooke added.
This should be fixed for all lab hosting providers by next week's classes.
This is fxed.
Contact Details
davecooke1967@gmail.com
What happened?
Auditing isn't enabled correctly on WinServer, consequently no 4688 events are being recorded for the Registry change performed in the previous exercise which then causes task 1 detections to fail.
Is this something I need to speak to Skillable about directly or does this change need to be pushed out from here?
Had to enable both Computer Configuration/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Detailed Tracking/Audit Process Creation & Computer Configuration/Administrative Templates/System/Audit Process Creation/Include Command line in process creation events in Local GPO to get the event log to record the events
Lab
Lab 07 Exercise 06 Create Detections
Relevant screenshots
Do you want to help us? 👏