Open joshnguyen08 opened 1 month ago
joshnguyen08
commented
1 month ago 2.7 Expand Victim Subnet to log key security events
https://github.com/joshnguyen08/cybersecurity-homelab/issues/23
Objective: Update Windows DC to capture and log key events as well as push settings to all domain-joined users through Group Policy
joshnguyen08
commented
1 month ago May need to update forwarders / winlogbeat to forward those new events over (maybe)
joshnguyen08
commented
1 month ago Use this command “auditpol /get /category:*" to check auditing
Open “Group Policy Management” -> Domain -> heem.local -> Group Policy Objects
Right click the domain -> “Create a GPO in this domain, and Link it here” -> name it “Audit Policy Configuration”
Right click the new GPO - > “Edit”
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration - > Audit Policies
For auditing registry changes:
From audit policies -> Object Access -> Audit registry -> enable for success and failure
Below is a picture of what it looks like afterwards
Also added for audit logon
Make sure to add a SACL within the registry directory like the run folder
Go back the GPO editor -> Computer Configuration > Policies > Windows Settings > Security Settings -> Registry -> Right click registry and hit “Add Key” -> Hunt for selected key to audit for which is MACHINE\Software\Microsoft\Windows\CurrentVersion\Run -> In security tab -> Hit Advanced -> Auditing -> Add a principle with “Everyone” and access is “special”, meaning choose “Query value” “set value” “create subkey” “delete” “change permissions”, basically things you want to audit
Now that will track everything in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
To track for Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
You will have to create a local SACL
Run gpupdate /force to enable the group policy to inherit and apply policy immediately
Enabled account logon success/failure, enabled process creation auditing as well
Confirmed in Splunk and ELK stack
joshnguyen08
commented
1 month ago Need a monitor on the temp folders (AppData -> Local -> Temp) and C:/Windows/Temp
joshnguyen08
commented
1 month ago Need: 4720: User account created 4723: An attempt was made to change an account’s password
joshnguyen08
commented
4 weeks ago Need:
4697 service creation
joshnguyen08
commented
3 weeks ago Done: 4720: User account created 4723: An attempt was made to change an account’s password enabled audit for "User account management" which includes user account created, changed, deleted, renamed, disbaled, locked/unlocked, password reset, password change, etc.
Event 4698 enabled: Enabled audit for "other object access events" which includes scheduler jobs creation, deletion, enabled, disabled, and updated + COM+ objects added, updated, and deleted.
4697 service creation Enabled audit for "security system extension" which includes a service being installed and registerd with the service control manager
4657 - modification to a registry key