Implement Threat Detection Solutions Flashcards

Question 1

Q

What tool can be used to give recommendations on which audit policies should/could be implemented?

Answer

A

Security Compliance Manager

Question 2

Q

What is the default auditing policy for Windows 7/8/10?

Answer

A

Audit Credential Validation: Both Off
Audit User Account Management: Success
Audit Account Lockout: Success
Audit Logoff: Success
Audit Logon: Success and Failure
Audit Network Policy Server: Success and Failure
Audit Special Logon: Success
Audit Audit Policy Change: Success
Audit Authentication Policy Change: Success
Audit Other System Events: Success and Failures
Audit Security State Change: Success
Audit System Integrity: Success and Failure

Question 3

Q

What is the default audit policy for Windows Server 2008/R2/2012/R2/2016?

Answer

A

Audit Credential Validation: Both Off
Audit User Account Management: Success
Audit User Account Lockout: Success
Audit Logoff: Success
Audit Logon: Success and Failures
Audit Network Policy Server: Success and Failures
Audit Special Logon: Success
Audit Audit Policy Change: Success
Audit Authentication Policy Change: Success
Audit Other System Events: Success and Failures
Audit Security State Change: Success
Audit System Integrity: Success and Failure

Question 4

Q

Why should workstations be monitored in addition Servers being monitored?

Answer

A

Workstations are often the earliest source of detection and the origin of the attack

Question 5

Q

What types of events should be monitored and alerted?

Answer

A

Event which any occurrence indicates unauthorized activity

- Accumulations of events that are above the expected baseline.

Question 6

Q

What event is generated when a privileged user logs onto a system?

Answer

A

Audit Special Logon event 4964

Question 7

Q

What are some common occurrences of single instance alerts (events whose issuance indicates a likely attack)?

Answer

A

If two servers that should never connect, connect.
In a normal user account is added to a sensitive group
If an account who never logs in after hours, logs in after hours.
If a new service is installed on a DC
Regular events where a user is attempting to login to a server they shouldn’t
If a DA is empty and someone adds themselves to DA

Question 8

Q

What would be an indicator of a password guessing attack?

Answer

A

A large number of failed logons

Question 9

Q

What are some items that should be monitored in AD?

Answer

A

Monitor AV disabling and removal. AV should have an auto restart option
Monitor Admin accounts for unauthorized changes to things like CN, Name, SamAccountName, UPN, and UAC settings
Monitor admin activities (removing an account)
Membership changes for privileged groups. (adminFlags groups)
Activation and use of the Bultin Administrator Account.

Question 10

Q

What workflow would help identify which servers should be monitored the most?

Answer

A

Group servers by classification of their workloads.

Question 11

Q

What Powershell cmdlet can be used to view System Access Control Lists (SACLs)?

Question 12

Q

What Powershell cmlet can be used to modify SACLs?

Question 13

Q

What different types of ACLs are used in Windows?

Answer

A

Discretionary Access Control Lists (DACLs) control access to an object.

System Access Control Lists (SACLs) enables logging on objects.

Question 14

Q

How can you extend the gpo-based audit policies to include specifics about files, folder,s and even AD objects?

Answer

A

Define auditing for the file, folder, or AD object via SACLs (Auditing Tab of the object’s properties)

Question 15

Q

Where are Advanced Audit Policies configured?

Answer

A

GPO: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration

Question 16

Q

Which section of the advanced audit policies monitors attempts to authenticate with a DC or the SAM?

Answer

A

Account Logon

Question 17

Q

How are Account Logon Events different that Logon/Logoff events?

Answer

A

Logon and Logoff are interested in attempts to access a particular system. Account Logon is interested in the account database that was used.

Question 18

Q

What different subcategories are available for Account Logon Auditing?

Answer

A

Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Logon/Logoff Events

Question 19

Q

Which section of advanced audit policies has to do with changes to users, computers, or groups?

Answer

A

Account Management

Question 20

Q

Which different subcategories exist for Account Management Auditing?

Answer

A

Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management

Question 21

Q

Which section of advanced audit policies handles monitoring activities of individual applications and users on a system and how that system is being used?

Answer

A

Detailed Tracking

Question 22

Q

What are the different subcategories of Detailed Tracking auditing?

Answer

A

Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events

Question 23

Q

On which systems will the DS Access events be written?

Answer

A

Domain Controllers

Question 24

Q

Which section of advanced audit policies is used to track attempts to logon to a system and tracks user activity?

Answer

A

Logon / Logoff

Question 25

Q

Which advanced audit policy category would show password spraying or similar attacks?

Answer

A

Logon / Logoff

Question 26

Q

What are the different subcategories of Logon/Logoff Auditing?

Answer

A

Audit Account Lockout
Audit User/Device Claims
Audit IPSec Extended Mode
Audit Group Membership
Audit IPSec Main Mode
Audit IPSec Quick Mode
Audit Logon
Audit Logoff
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon

Question 27

Q

Which section of advanced audit policies audits events that help track access to specific objects or object types, such as file access, registry key access, etc.?

Answer

A

Object Access

Question 28

Q

What are the different subcategories of Object Access?

Answer

A

Audit Application Generated
Audit Certificate Services
Audit Detailed File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging

Question 29

Q

Which section of advanced audit policies would alert in regards to changes to security policies?

Answer

A

Policy Change

Question 30

Q

What are the different subcategories of the Policy Change Audit Policy?

Answer

A

Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events

Question 31

Q

Which section of advanced audit policies shows when administrators use their permissions?

Answer

A

Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events

Question 32

Q

Which audit policy category is responsible for auditing events related to system-level changes on a system that are not covered by other audit categories?

Question 33

Q

What are the different subcategories for the System audit policy?

Answer

A

Audit IPSec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity

Question 34

Q

What is Global Object Access Auditing?

Answer

A

Global Object Access Auditing allows administrators to define computer SACLs per object type for files and the registry.

This can be used to prove to auditors that every object in a system is protected by an audit policy.

Question 35

Q

What are the different subcategories of Global Object Access Auditing?

Answer

A

File System (Global Object Access Auditing)
Registry (Global Object Access Auditing)

Question 36

Q

Which audit category captures events generated by the OS on credentials that are submitted for a user account authentication request?

Answer

A

Audit Credential Validation

Question 37

Q

What is the recommended configuration for “Audit Credential Validation” on all servers?

Answer

A

Audit Success and Audit Failure turned on

Question 38

Q

What does event ID 4776 indicate in the security log?

Answer

A

The computer attempted to validate credentials for an account.

This is generated every time a credential validation occurs via NTLM
For domain systems, this will appear on domain controllers
This event shows successful and unsuccessful attempts

See Event 4624 on the local system for more details.

Question 39

Q

What event log entry may indicate a mismatched LAN Manager Authentication?

Answer

A

Event ID 4776 with error code 0xC000006D

Question 40

Q

What should be monitored to detect credential use that could correspond to anomalies or malicious activity?

Answer

A

Configure Audit Credential Validation successes and failures

Search the SIEM for Logon Account and Source workstations and find anomalies.

Question 41

Q

In which version of Windows was Advanced Policy Configuration introduced?

Answer

A

Server 2008 R2 / Windows 7

Question 42

Q

Where do you find the Advanced Audit Policy Configuration Settings?

Answer

A

Group Policy \ Computer Configuration \ Policies \ Security Settings \ Advanced Audit Policy Configuration

Question 43

Q

Where are the original, pre Server 2008 R2, audit settings located?

Answer

A

Group Policy \ Computer Configuration \ Policies \ Security Settings \ Local Policies \ Audit Policy

Question 44

Q

What is the best way to configure the original audit policies and the new advanced audit policy configuration settings together?

Answer

A

You shouldn’t. It is recommended that you use the new policies only and force their use via “Audit: Force audit policy subcategory settings.”

Question 45

Q

Where do you configure “Audit: Force Audit Policy Subcategory settings”?

Answer

A

Group Policy \ Computer Configuration \ Policies \ Security Settings \ Local Policies \ Security Options

Question 46

Q

You have configured Advanced Audit Policies to target several Server 2008 systems. However, it appears that the servers are not taking the new audit settings. What needs to be done?

Answer

A

Instead of relying on GPO to configure the Advanced Audit Settings on 2008 Servers, utilize auditpol.exe.

Server 2008 does not natively support Advanced Audit Policies and must be configured specially to use them.

Question 47

Q

What command will show what audit policies are enabled on a system?

Answer

A

Auditpol.exe /get /Category:*

Question 48

Q

What does the “Audit Kerberos Authentication Service” auditing policy do when enabled?

Answer

A

The Audit Kerberos Authentication Service audit settings generate audit events for Kerberos authentication TGT requests.

It will generate audit events after Kerberos authentication TGT requests.

Question 49

Q

On which systems should the “Audit Kerberos Authentication Service” policy be configured?

Answer

A

Exclusively Domain Controllers.

Question 50

Q

What does an event 4768 indicate in the security log of a DC?

Answer

A

Kerberos TGT was generated
Success indicates the ticket was issued
Failure indicates the ticket failed.

Question 51

Q

When would you see event 4771 in the Security Log?

Answer

A

This shows on domain controllers when the KDC fails to issue a TGT. This can occur if the DC doesn’t have the user’s smart card certificate, the password is expired, or the wrong password is provided in the authentication request.

This does not generate if “Do not require Kerberos preauthentication” is configured for the account.

Question 52

Q

Several users report they cannot login to their network shares for a specialized application. You suspect a bad password and check the DC for event 4771 to see if they are receiving failed TGT requests. You are unable to locate any instances of the event. What could be wrong?

Answer

A

“Do not require Kerberos preauthentication” may be configured on the users’ accounts.

Question 53

Q

When developing a Windows security audit plan, what needs to be identified?

Answer

A

The network environment needs documented including Domains, OUs, and security groups.

Resources on the network, users of the resources, and how the resources are being consumed needs to be itemized.

Regulatory compliance requirements.

Question 54

Q

You have a team of users who are bound by special regulatory compliance requirements. You plan on configuring audit policies directly on their individual accounts. How do you accomplish this?

Answer

A

You cannot. Audit Policies are computer policies and cannot be directly linked to user accounts.

You should configure the policy to target the users’ systems and, if necessary, configure SACLs to ensure that those specific users are being targeted.

Question 55

Q

What kind of information is captured if “Object Access \ Audit File Share” auditing is enabled?

Answer

A

You can determine what content was accessed, the source of the request, and the account used for the process.

Question 56

Q

You believe several users have been opening files they are not authorized to open, despite having access. How would you audit which users are accessing these files and what information they accessed?

Answer

A

Configured “Object Access \ Audit File Share”

Question 57

Q

Why may “Object Access \ Audit File Share” auditing not be advised on Domain Controllers?

Answer

A

SYSVOL share has high activity and will fill event logs quickly obfuscating meaningful events.

Question 58

Q

What kind of information is gathered with the “Object Access \ Audit File System” auditing?

Answer

A

This only generates events for objects that have SACLs (files and folders)
This will generate events every time an account accesses a file system object with a matching SACL.
Use Global Object Access auditing for more details.

Question 59

Q

What does Global Object Access Auditing do?

Answer

A

When configured they apply a global SACL on all objects of the defined class on a system. These cannot be overridden or circumvented.

Question 60

Q

How would you monitor what applications a user has opened and closed on a system?

Answer

A

Enable “Detailed Tracking \ Audit Process Creation” and “Detailed Tracking \ Audit Process Termination” auditing

Question 61

Q

What type of auditing may help alert to if a domain account has been compromised?

Answer

A

DS Access \ Audit Directory Service Access

DS Access \ Audit Directory Service Changes

Question 62

Q

How would you capture account lockout events or attempts to use locked out accounts?

Answer

A

Enable “Logon / Logoff \ Audit Account Lockout” auditing

Question 63

Q

When capturing Audit Logoff and Audit Logon events, where will the events be located?

Answer

A

Interactive logon events are generated on the computer being logged into

Network Logon events are generated on the resource host, accessed system.

Question 64

Q

How do you enable Account Logoff Failed Events?

Answer

A

You cannot.

There isn’t a reliable system to capture logoffs and thus there aren’t events for it.

Answer 62

A

This captures information from a special logon, which is a logon that has administer-equivalent privileges and can be used to elevate processes to a higher level.

This also captures information about logons of special groups.

Answer 63

A

HKLM:\System\CurrentControlSet\Control\Lsa\Audit
Edit: String Value
Enter “Special Groups”
R-Click “Special Groups” \ Modify
Enter the SID of the group(s). Use semicolon to separate different SIDs.

Answer 64

A

Since the SAM stores information regarding local accounts, it is important to track local accounts.

Account Management auditing will capture changes to users and groups in the SAM, however, some attacks involve modifying the SAM database directly and bypass Audit Account Management.

Answer 65

A

Act as part of the Operating System
Backup Files and Directories
Restore Files and Directories
Create a token object
Debug Programs
Enable computer and user accounts to be trusted for delegation.
Generate security audits
Impersonate a client after authentication
Load and unload device drivers
Manage auditing and security log
Modify firmware environment values
Replace a process-level token
Take ownership of files or other objects

Answer 66

A

Account Logon serves as a compliment to Logon/Logoff auditing and will generate events regardless of the system accessed

Logon/Logoff only applies to the computer hosting the accessed resources.

Answer 67

A

Account Logon \ Audit Other Account Logon Events

Answer 68

A

This allows for monitoring the AD DS role services. This will capture changes to DCs and tracks replication between domain controllers.

Answer 69

A

Logon/Logoff Audit IPSec Extended Mode
Logon/Logoff Audit IPSec Main Mode
Logon/Logoff Audit IPSec Quick Mode

Answer 70

A

Policy Change \ Audit MPSSVC Rule-Level Policy Change

Answer 71

A

No. Only editions of Windows that can be joined to domains are supported for Advanced Audit Policies

Answer 72

A

Overwrite events as needed (oldest first)

Answer 73

A

Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Event Log Service \ Security

Answer 74

A

Account Management \ Audit Other Account Management Events

Answer 75

A

DS Access \ Audit Directory Service Replication

DS Access \ Audit Detailed Directory Service Replication

Answer 76

A

Terminal Services session disconnections
New Terminal Services sessions
Locking and unlocking a workstation
Invoking a screen saver
Dismissal of a screen saver
Access to a wireless network
Access to a wired 802.1x network

Answer 77

A

Logon/Logoff \ Audit Other Logon/Logoff Events

Answer 78

A

Object Access \ Audit Certification Services

Answer 79

A

Detailed File Share logs an event every time a folder is accessed.

File Share Auditing logs one event for any connection established.

Answer 80

A

File Shares do not have SACLs and thus File Share Auditing grabs everything.

Answer 81

A

Audit user attempts to access file system objects

Audit events are only generated for objects with SACLs specified and only for the specified type of access.

Answer 82

A

Object Access \ Audit Filtering Platform Connection

Answer 83

A

Object Access \ Audit Other Object Access Events

Answer 84

A

When configured via Advanced Audit Policy, “Audit account logon events” will capture both Success and Failures if so configured. Under a standard Audit Policy, this category can only return success events.

Answer 85

A

They do not.

When advanced audit policies are configured, the computer’s audit policies are flushed.

Answer 86

A

Audit policies are override by higher priority GPOs

Answer 87

A

Discretionary Access Control Lists (DACLs) identify the users and groups allowed or denied access.

System Access Control Lists (SACLs) control how access is audited.

Answer 88

A

Configure the policy settings you don’t need to “Not Configured”
Delete all audit.csv files from the SYSVOL
Reconfigure and apply the basic settings

Answer 89

A

If no SACL is configured, no change auditing events are captured.

Answer 90

A

Modify the schema for the attribute: set searchFlags 8th bit (index 256) to not log change events.

Answer 91

A

HKLM:\System\CurrentControlSet\Services\NTDS\Parameters

MaximumStringBytesToAudit
REG_DWORD (default 1000, min 0, Max 64000)

Answer 92

A

GPMC: Computer/User Settings \ Policies \ Administrative Templates \ Windows Components \ Windows Powershell

Answer 93

A

Microsoft-Windows-Powershell/Operational

Answer 94

A

Yes. They are both captured

Answer 95

A

User can bypass file and directory, registry, and other permissions for the purpose of backing up
Effectively grants read-access regardless of ACL
Grants
- READ_CONTRL
- ACCESS_SYSTEM_SECURITY
- FILE_GENERIC_READ
- FILE_TRAVERSE

Brainscape's Knowledge GenomeTM

Implement Threat Detection Solutions Flashcards

Audit Policies ATA OMS

Brainscape's Knowledge Genome^TM