Implement Threat Detection Solutions Flashcards
Audit Policies ATA OMS
What tool can be used to give recommendations on which audit policies should/could be implemented?
Security Compliance Manager
What is the default auditing policy for Windows 7/8/10?
- Audit Credential Validation: Both Off
- Audit User Account Management: Success
- Audit Account Lockout: Success
- Audit Logoff: Success
- Audit Logon: Success and Failure
- Audit Network Policy Server: Success and Failure
- Audit Special Logon: Success
- Audit Audit Policy Change: Success
- Audit Authentication Policy Change: Success
- Audit Other System Events: Success and Failures
- Audit Security State Change: Success
- Audit System Integrity: Success and Failure
What is the default audit policy for Windows Server 2008/R2/2012/R2/2016?
- Audit Credential Validation: Both Off
- Audit User Account Management: Success
- Audit User Account Lockout: Success
- Audit Logoff: Success
- Audit Logon: Success and Failures
- Audit Network Policy Server: Success and Failures
- Audit Special Logon: Success
- Audit Audit Policy Change: Success
- Audit Authentication Policy Change: Success
- Audit Other System Events: Success and Failures
- Audit Security State Change: Success
- Audit System Integrity: Success and Failure
Why should workstations be monitored in addition Servers being monitored?
Workstations are often the earliest source of detection and the origin of the attack
What types of events should be monitored and alerted?
- Event which any occurrence indicates unauthorized activity
- Accumulations of events that are above the expected baseline.
What event is generated when a privileged user logs onto a system?
Audit Special Logon event 4964
What are some common occurrences of single instance alerts (events whose issuance indicates a likely attack)?
- If two servers that should never connect, connect.
- In a normal user account is added to a sensitive group
- If an account who never logs in after hours, logs in after hours.
- If a new service is installed on a DC
- Regular events where a user is attempting to login to a server they shouldn’t
- If a DA is empty and someone adds themselves to DA
What would be an indicator of a password guessing attack?
A large number of failed logons
What are some items that should be monitored in AD?
- Monitor AV disabling and removal. AV should have an auto restart option
- Monitor Admin accounts for unauthorized changes to things like CN, Name, SamAccountName, UPN, and UAC settings
- Monitor admin activities (removing an account)
- Membership changes for privileged groups. (adminFlags groups)
- Activation and use of the Bultin Administrator Account.
What workflow would help identify which servers should be monitored the most?
Group servers by classification of their workloads.
What Powershell cmdlet can be used to view System Access Control Lists (SACLs)?
Get-ACL
What Powershell cmlet can be used to modify SACLs?
Set-ACl
What different types of ACLs are used in Windows?
Discretionary Access Control Lists (DACLs) control access to an object.
System Access Control Lists (SACLs) enables logging on objects.
How can you extend the gpo-based audit policies to include specifics about files, folder,s and even AD objects?
Define auditing for the file, folder, or AD object via SACLs (Auditing Tab of the object’s properties)
Where are Advanced Audit Policies configured?
GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration
Which section of the advanced audit policies monitors attempts to authenticate with a DC or the SAM?
Account Logon
How are Account Logon Events different that Logon/Logoff events?
Logon and Logoff are interested in attempts to access a particular system. Account Logon is interested in the account database that was used.
What different subcategories are available for Account Logon Auditing?
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Logon/Logoff Events
Which section of advanced audit policies has to do with changes to users, computers, or groups?
Account Management
Which different subcategories exist for Account Management Auditing?
Audit Application Group Management Audit Computer Account Management Audit Distribution Group Management Audit Other Account Management Events Audit Security Group Management Audit User Account Management
Which section of advanced audit policies handles monitoring activities of individual applications and users on a system and how that system is being used?
Detailed Tracking
What are the different subcategories of Detailed Tracking auditing?
Audit DPAPI Activity Audit PNP Activity Audit Process Creation Audit Process Termination Audit RPC Events
On which systems will the DS Access events be written?
Domain Controllers
Which section of advanced audit policies is used to track attempts to logon to a system and tracks user activity?
Logon / Logoff
Which advanced audit policy category would show password spraying or similar attacks?
Logon / Logoff
What are the different subcategories of Logon/Logoff Auditing?
Audit Account Lockout Audit User/Device Claims Audit IPSec Extended Mode Audit Group Membership Audit IPSec Main Mode Audit IPSec Quick Mode Audit Logon Audit Logoff Audit Network Policy Server Audit Other Logon/Logoff Events Audit Special Logon
Which section of advanced audit policies audits events that help track access to specific objects or object types, such as file access, registry key access, etc.?
Object Access
What are the different subcategories of Object Access?
Audit Application Generated Audit Certificate Services Audit Detailed File Share Audit File System Audit Filtering Platform Connection Audit Filtering Platform Packet Drop Audit Handle Manipulation Audit Kernel Object Audit Other Object Access Events Audit Registry Audit Removable Storage Audit SAM Audit Central Access Policy Staging
Which section of advanced audit policies would alert in regards to changes to security policies?
Policy Change
What are the different subcategories of the Policy Change Audit Policy?
Audit Audit Policy Change Audit Authentication Policy Change Audit Authorization Policy Change Audit Filtering Platform Policy Change Audit MPSSVC Rule-Level Policy Change Audit Other Policy Change Events
Which section of advanced audit policies shows when administrators use their permissions?
Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events
Which audit policy category is responsible for auditing events related to system-level changes on a system that are not covered by other audit categories?
System
What are the different subcategories for the System audit policy?
Audit IPSec Driver Audit Other System Events Audit Security State Change Audit Security System Extension Audit System Integrity
What is Global Object Access Auditing?
Global Object Access Auditing allows administrators to define computer SACLs per object type for files and the registry.
This can be used to prove to auditors that every object in a system is protected by an audit policy.
What are the different subcategories of Global Object Access Auditing?
File System (Global Object Access Auditing) Registry (Global Object Access Auditing)
Which audit category captures events generated by the OS on credentials that are submitted for a user account authentication request?
Audit Credential Validation
What is the recommended configuration for “Audit Credential Validation” on all servers?
Audit Success and Audit Failure turned on
What does event ID 4776 indicate in the security log?
The computer attempted to validate credentials for an account.
- This is generated every time a credential validation occurs via NTLM
- For domain systems, this will appear on domain controllers
- This event shows successful and unsuccessful attempts
See Event 4624 on the local system for more details.
What event log entry may indicate a mismatched LAN Manager Authentication?
Event ID 4776 with error code 0xC000006D
What should be monitored to detect credential use that could correspond to anomalies or malicious activity?
Configure Audit Credential Validation successes and failures
Search the SIEM for Logon Account and Source workstations and find anomalies.
In which version of Windows was Advanced Policy Configuration introduced?
Server 2008 R2 / Windows 7
Where do you find the Advanced Audit Policy Configuration Settings?
Group Policy \ Computer Configuration \ Policies \ Security Settings \ Advanced Audit Policy Configuration
Where are the original, pre Server 2008 R2, audit settings located?
Group Policy \ Computer Configuration \ Policies \ Security Settings \ Local Policies \ Audit Policy
What is the best way to configure the original audit policies and the new advanced audit policy configuration settings together?
You shouldn’t. It is recommended that you use the new policies only and force their use via “Audit: Force audit policy subcategory settings.”
Where do you configure “Audit: Force Audit Policy Subcategory settings”?
Group Policy \ Computer Configuration \ Policies \ Security Settings \ Local Policies \ Security Options
You have configured Advanced Audit Policies to target several Server 2008 systems. However, it appears that the servers are not taking the new audit settings. What needs to be done?
Instead of relying on GPO to configure the Advanced Audit Settings on 2008 Servers, utilize auditpol.exe.
Server 2008 does not natively support Advanced Audit Policies and must be configured specially to use them.
What command will show what audit policies are enabled on a system?
Auditpol.exe /get /Category:*
What does the “Audit Kerberos Authentication Service” auditing policy do when enabled?
The Audit Kerberos Authentication Service audit settings generate audit events for Kerberos authentication TGT requests.
It will generate audit events after Kerberos authentication TGT requests.
On which systems should the “Audit Kerberos Authentication Service” policy be configured?
Exclusively Domain Controllers.
What does an event 4768 indicate in the security log of a DC?
Kerberos TGT was generated
Success indicates the ticket was issued
Failure indicates the ticket failed.
When would you see event 4771 in the Security Log?
This shows on domain controllers when the KDC fails to issue a TGT. This can occur if the DC doesn’t have the user’s smart card certificate, the password is expired, or the wrong password is provided in the authentication request.
This does not generate if “Do not require Kerberos preauthentication” is configured for the account.
Several users report they cannot login to their network shares for a specialized application. You suspect a bad password and check the DC for event 4771 to see if they are receiving failed TGT requests. You are unable to locate any instances of the event. What could be wrong?
“Do not require Kerberos preauthentication” may be configured on the users’ accounts.
When developing a Windows security audit plan, what needs to be identified?
The network environment needs documented including Domains, OUs, and security groups.
Resources on the network, users of the resources, and how the resources are being consumed needs to be itemized.
Regulatory compliance requirements.
You have a team of users who are bound by special regulatory compliance requirements. You plan on configuring audit policies directly on their individual accounts. How do you accomplish this?
You cannot. Audit Policies are computer policies and cannot be directly linked to user accounts.
You should configure the policy to target the users’ systems and, if necessary, configure SACLs to ensure that those specific users are being targeted.
What kind of information is captured if “Object Access \ Audit File Share” auditing is enabled?
You can determine what content was accessed, the source of the request, and the account used for the process.
You believe several users have been opening files they are not authorized to open, despite having access. How would you audit which users are accessing these files and what information they accessed?
Configured “Object Access \ Audit File Share”
Why may “Object Access \ Audit File Share” auditing not be advised on Domain Controllers?
SYSVOL share has high activity and will fill event logs quickly obfuscating meaningful events.
What kind of information is gathered with the “Object Access \ Audit File System” auditing?
This only generates events for objects that have SACLs (files and folders)
This will generate events every time an account accesses a file system object with a matching SACL.
Use Global Object Access auditing for more details.
What does Global Object Access Auditing do?
When configured they apply a global SACL on all objects of the defined class on a system. These cannot be overridden or circumvented.
How would you monitor what applications a user has opened and closed on a system?
Enable “Detailed Tracking \ Audit Process Creation” and “Detailed Tracking \ Audit Process Termination” auditing
What type of auditing may help alert to if a domain account has been compromised?
DS Access \ Audit Directory Service Access
DS Access \ Audit Directory Service Changes
How would you capture account lockout events or attempts to use locked out accounts?
Enable “Logon / Logoff \ Audit Account Lockout” auditing
When capturing Audit Logoff and Audit Logon events, where will the events be located?
Interactive logon events are generated on the computer being logged into
Network Logon events are generated on the resource host, accessed system.
How do you enable Account Logoff Failed Events?
You cannot.
There isn’t a reliable system to capture logoffs and thus there aren’t events for it.
What kind of information is captured with “Logon Logoff \ Audit Special Logon” auditing?
This captures information from a special logon, which is a logon that has administer-equivalent privileges and can be used to elevate processes to a higher level.
This also captures information about logons of special groups.
How do you modify the special groups that are captured by Audit Special Logon auditing?
HKLM:\System\CurrentControlSet\Control\Lsa\Audit
Edit: String Value
Enter “Special Groups”
R-Click “Special Groups” \ Modify
Enter the SID of the group(s). Use semicolon to separate different SIDs.
What is the advantage of configuring “Object Access \ Audit SAM” auditing?
Since the SAM stores information regarding local accounts, it is important to track local accounts.
Account Management auditing will capture changes to users and groups in the SAM, however, some attacks involve modifying the SAM database directly and bypass Audit Account Management.
What types of activities will fall under Audit Sensitive Privilege use?
Act as part of the Operating System Backup Files and Directories Restore Files and Directories Create a token object Debug Programs Enable computer and user accounts to be trusted for delegation. Generate security audits Impersonate a client after authentication Load and unload device drivers Manage auditing and security log Modify firmware environment values Replace a process-level token Take ownership of files or other objects
How do the Audit Logon policy settings differ from Logon/Logoff audit policy settings?
Account Logon serves as a compliment to Logon/Logoff auditing and will generate events regardless of the system accessed
Logon/Logoff only applies to the computer hosting the accessed resources.
What type of auditing would track Remote Desktop Connections?
Account Logon \ Audit Other Account Logon Events
What information is gained by enabling the DS Access Audit Policy Settings?
This allows for monitoring the AD DS role services. This will capture changes to DCs and tracks replication between domain controllers.
What audit setting should be configured to ensure IPSec is working correctly?
Logon/Logoff Audit IPSec Extended Mode
Logon/Logoff Audit IPSec Main Mode
Logon/Logoff Audit IPSec Quick Mode
Which audit policies capture changes to the Windows Firewall?
Policy Change \ Audit MPSSVC Rule-Level Policy Change
Can you configure Advanced Audit Policies on the Windows 10 Home Editions?
No. Only editions of Windows that can be joined to domains are supported for Advanced Audit Policies
What is the default retention policy for the Windows Audit Event Logs?
Overwrite events as needed (oldest first)
How do you increase the size of the Security event log via Group Policy?
Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Event Log Service \ Security
Which audit category should be configured to capture malicious tools attempting to modify the Domain Password policy?
Account Management \ Audit Other Account Management Events
How would you audit replication between domain controllers?
DS Access \ Audit Directory Service Replication
DS Access \ Audit Detailed Directory Service Replication
What kind of logons/logoffs are captured with “Logon/Logoff Auditing \ Audit Other Logon/Logoff Events” audit settings?
Terminal Services session disconnections New Terminal Services sessions Locking and unlocking a workstation Invoking a screen saver Dismissal of a screen saver Access to a wireless network Access to a wired 802.1x network
What kind of auditing can be used to help detect Kerberos replay attacks?
Logon/Logoff \ Audit Other Logon/Logoff Events
What kind of event auditing will capture events for Certificate Services?
Object Access \ Audit Certification Services
What is the difference between Audit Detailed File Share and Audit File Share auditing?
Detailed File Share logs an event every time a folder is accessed.
File Share Auditing logs one event for any connection established.
What all does File Share Auditing capture?
File Shares do not have SACLs and thus File Share Auditing grabs everything.
What types of information is gathered through File System Auditing?
Audit user attempts to access file system objects
Audit events are only generated for objects with SACLs specified and only for the specified type of access.
Which type of audit will put Firewall events into the Security Event logs?
Object Access \ Audit Filtering Platform Connection
Which category of audit policies will capture events generated by the task scheduler or COM+ objects?
Object Access \ Audit Other Object Access Events
What is the primary benefit of configuring “Audit account logon events” in Advanced Audit Policy Configuration over the standard Audit Policy?
When configured via Advanced Audit Policy, “Audit account logon events” will capture both Success and Failures if so configured. Under a standard Audit Policy, this category can only return success events.
How do Advanced Audit Policy Configuration and standard Audit Policies interoperate?
They do not.
When advanced audit policies are configured, the computer’s audit policies are flushed.
Are Advanced Audit Policy GPOs cumulative or do they get overridden by higher priority GPOs?
Audit policies are override by higher priority GPOs
What is the difference between a SACL and a DACL?
Discretionary Access Control Lists (DACLs) identify the users and groups allowed or denied access.
System Access Control Lists (SACLs) control how access is audited.
How do you unset configured advanced audit policy settings to use the basic settings again?
- Configure the policy settings you don’t need to “Not Configured”
- Delete all audit.csv files from the SYSVOL
- Reconfigure and apply the basic settings
With Directory Services Auditing, what happens if no SACL is configured on an object?
If no SACL is configured, no change auditing events are captured.
How do you disable all auditing for an attribute in AD?
Modify the schema for the attribute: set searchFlags 8th bit (index 256) to not log change events.
How do you ensure that large string values are captured in the event logs on DCs when Directory Services Auditing is configured?
HKLM:\System\CurrentControlSet\Services\NTDS\Parameters
- MaximumStringBytesToAudit
- REG_DWORD (default 1000, min 0, Max 64000)
How do you enable Powershell Script Logging?
GPMC: Computer/User Settings \ Policies \ Administrative Templates \ Windows Components \ Windows Powershell
Where are the Powershell Script Logging events stored?
Microsoft-Windows-Powershell/Operational
Can Powershell script logging capture scripts called by Invoke-Expression?
Yes. They are both captured
What access does granting SeBackupPrivilege give?
- User can bypass file and directory, registry, and other permissions for the purpose of backing up
- Effectively grants read-access regardless of ACL
- Grants
- READ_CONTRL
- ACCESS_SYSTEM_SECURITY
- FILE_GENERIC_READ
- FILE_TRAVERSE
