search

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices
MIT License
4.65k stars 989 forks source link

Windows EVTX Auditing Issue #342

Closed 4ndr3w6 closed 5 years ago

4ndr3w6 commented 5 years ago

Please verify that you are building from an updated Master branch before filing an issue.

Using master branch version as 11/9/2019

Description of the issue:

Hey @clong. Hope you are having a great weekend. Sorry for the ticket. :(
Not sure if this is just me, or if you and/or others are experiencing this as well, but I do not believe the Windows auditing policy is get pushed out completely. Below is the DC auditpol that I have from a fresh local build this morning, and after running a gpupdate /force. So I am little lost right now if its on my end (most likely) or if its a GPO.

Thanks so much and always thank you for all your work into this project.

Cheers!

PS I did not have a chance to check the win10 box

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
  Group Membership                        No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 No Auditing
Detailed Tracking
  Process Creation                        No Auditing
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Plug and Play Events                    No Auditing
  Token Right Adjusted Events             No Auditing
Policy Change
  Audit Policy Change                     Success
  Authentication Policy Change            Success
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  Computer Account Management             Success
  Security Group Management               Success
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
  User Account Management                 Success
DS Access
  Directory Service Access                Success
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
Account Logon
  Kerberos Service Ticket Operations      Success
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         Success
  Credential Validation                   Success
clong commented 5 years ago

I'm able to confirm this. It looks like all of the advanced audit configuration stuff on the DC GPO has completely gone missing. Not sure if it's always been like this or if something changed. Looking into this now...

clong commented 5 years ago

It appears this GPO was never correct: https://rawgit.com/clong/DetectionLab/master/Vagrant/resources/GPO/reports/Domain%20Controllers%20Enhanced%20Auditing%20Policy.htm

I'm working on getting this updated now.

clong commented 5 years ago

OK, now I'm confused. The GPO shows that the auditing settings are enabled, but I don't see them in gpresult and they don't seem to be getting applied:

image

clong commented 5 years ago

I've recreated the GPO and things seem to be fine now. Fix incoming.

clong commented 5 years ago

Should be fixed in https://github.com/clong/DetectionLab/pull/344