Cover
Title Page
Introduction
1. Who This Book Is For
2. What This Book Covers
3. How This Book Is Structured
4. What You Need to Use This Book
5. Conventions
6. What's on the Website
Part I: Introduction to Windows Security Monitoring
1. CHAPTER 1: Windows Security Logging and Monitoring Policy
  1. Security Logging
  2. Security Monitoring
Part II: Windows Auditing Subsystem
1. CHAPTER 2: Auditing Subsystem Architecture
  1. Legacy Auditing Settings
  2. Advanced Auditing Settings
  3. Windows Auditing Group Policy Settings
  4. Windows Auditing Architecture
  5. Security Event Structure
2. CHAPTER 3: Auditing Subcategories and Recommendations
  1. Account Logon
  2. Account Management
  3. Detailed Tracking
  4. DS Access
  5. Logon and Logoff
  6. Object Access
  7. Policy Change
  8. Privilege Use
  9. System
Part III: Security Monitoring Scenarios
1. CHAPTER 4: Account Logon
  1. Interactive Logon
  2. RemoteInteractive Logon
  3. Network Logon
  4. Batch and Service Logon
  5. NetworkCleartext Logon
  6. NewCredentials Logon
  7. Account Logoff and Session Disconnect
  8. Special Groups
  9. Anonymous Logon
2. CHAPTER 5: Local User Accounts
  1. Built-in Local User Accounts
  2. Built-in Local User Accounts Monitoring Scenarios
  3. Local User Account Password Modification
  4. Local User Account Enabled/Disabled
  5. Local User Account Lockout Events
  6. Local User Account Change Events
3. CHAPTER 6: Local Security Groups
  1. Built-in Local Security Groups
  2. Built-in Local Security Groups Monitoring Scenarios
4. CHAPTER 7: Microsoft Active Directory
  1. Active Directory Built-in Security Groups
  2. Built-in Active Directory Accounts
  3. Active Directory Accounts Operations
  4. Active Directory Group Operations
  5. Active Directory Trust Operations
  6. Domain Policy Changes
  7. Account Password Migration
5. CHAPTER 8: Active Directory Objects
  1. Active Directory Object SACL
  2. Active Directory Object Change Auditing
  3. Active Directory Object Operation Attempts
  4. Active Directory Objects Auditing Examples
6. CHAPTER 9: Authentication Protocols
  1. NTLM-family Protocols
  2. Kerberos
7. CHAPTER 10: Operating System Events
  1. System Startup/Shutdown
  2. System Time Changes
  3. System Services Operations
  4. Security Event Log Operations
  5. Changes in Auditing Subsystem Settings
  6. Per-User Auditing Operations
  7. Scheduled Tasks
  8. Boot Configuration Data Changes
8. CHAPTER 11: Logon Rights and User Privileges
  1. Logon Rights
  2. User Privileges
  3. User Privileges Policy Modification
  4. Special User Privileges Assigned at Logon Time
  5. Logon Session User Privileges Operations
  6. Backup and Restore Privilege Use Auditing
9. CHAPTER 12: Windows Applications
  1. New Application Installation
  2. Application Execution and Termination
  3. Application Crash Monitoring
  4. Windows AppLocker Auditing
  5. Process Permissions and LSASS.exe Access Auditing
10. CHAPTER 13: Filesystem and Removable Storage
  1. Windows Filesystem
  2. File and Folder Operations
  3. Removable Storage
  4. Global Object Access Auditing: Filesystem
  5. File System Object Integrity Levels
  6. Monitoring Recommendations
11. CHAPTER 14: Windows Registry
  1. Windows Registry Basics
  2. Registry Operations Auditing
  3. Global Object Access Auditing: Registry
  4. Registry Key Integrity Levels
  5. Monitoring Recommendations
12. CHAPTER 15: Network File Shares and Named Pipes
  1. Network File Shares
  2. Named Pipes
APPENDIX A: Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options
APPENDIX B: Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes
APPENDIX C: SDDL Access Rights
1. Object-Specific Access Rights
End User License Agreement

List of Tables

Chapter 2
1. Table 2-1: Legacy Auditing Categories
2. Table 2-2: Dependency between Legacy Audit and Advanced Audit Categories
3. Table 2-3: Security Event Log Access Control Policies
4. Table 2-4: Event Log Access Rights
5. Table 2-5: Security Events with Version 1 and Version 2
6. Table 2-6: Event Priority Level Codes
7. Table 2-7: Advanced Auditing Subcategories Task Category Numbers
8. Table 2-8: Global System Opcodes
Chapter 3
1. Table 3-1: Subcategories with Events That Are Dependent on the Audit Handle Manipulation Subcategory
Chapter 4
1. Table 4-1: Windows Logon Types
2. Table 4-2: Logon Session Default Integrity Level SIDs
3. Table 4-3: Integrity Level Labels Associated with Security Groups and Accounts
4. Table 4-4: Default Windows 10 (Build 1703) Security Packages (SSP/AP)
5. Table 4-5: Failure Reason, Status, and Sub Status Fields Values for the 4625 Event
Chapter 5
1. Table 5-1: SAM_DOMAIN Object Access Rights
2. Table 5-2: User Account UAC Flags
3. Table 5-3: SAM_USER Object Access Right Constants
4. Table 5-4: Standard Access Rights
5. Table 5-5: SAM_ALIAS Object Access Permissions
6. Table 5-6: Events to Monitor for Local User Account Creation
7. Table 5-7: Events to Monitor for Local User Account Deletion
8. Table 5-8: Events to Monitor for Local User Account Password Resets
9. Table 5-9: Events to Monitor for Local User Account Password Change
10. Table 5-10: Events to Monitor for Account Status Changes
11. Table 5-11: Events to Monitor for Account Lockout and Unlock Operations
12. Table 5-12: Event Field Default Values
13. Table 5-13: UAC Property Hexadecimal Values
14. Table 5-14: Events to Monitor for Account Change Operations
Chapter 6
1. Table 6-1: Built-in Local Security Groups by Microsoft Windows OS Version
Chapter 7
1. Table 7-1: Mappings between 4720 Event Fields and User Account Properties
2. Table 7-2: Active Directory Group Scope Types
3. Table 7-3: Active Directory Group Creation Events
4. Table 7-4: Active Directory Group Deletion Events
5. Table 7-5: Active Directory Group Modification Events
6. Table 7-6: Active Directory Group New Member Added Events
7. Table 7-7: Active Directory Group Member Removed Events
8. Table 7-8: Active Directory Trust Types
9. Table 7-9: Active Directory Trust Direction Types
10. Table 7-10: Active Directory Trust Attributes
11. Table 7-11: msDS-TrustForestTrustInfo Record Types
12. Table 7-12: msDS-TrustForestTrustInfo Record Flags
Chapter 8
1. Table 8-1: Active Directory Class SACL Editor Permissions with Associated Access Permissions
2. Table 8-2: Active Directory Object Auditing Permissions
3. Table 8-3: Validated Writes Access Rights and Corresponding Attributes
4. Table 8-4: CN=Schema,CN=Configuration,DC=ForestRootDomain Object SACL
5. Table 8-5: CN=Configuration,DC=ForestRootDomain Object SACL
6. Table 8-6: CN=Sites,CN=Configuration,DC=ForestRootDomain Object SACL
7. Table 8-7: CN=Partitions,CN=Configuration,DC=ForestRootDomain Object SACL
8. Table 8-8: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain Object SACL
9. Table 8-9: DC=domain,DC=ForestRootDomain object SACL
10. Table 8-10: OU=Domain Controllers,DC=domain,DC=ForestRootDomain object SACL
11. Table 8-11: CN=Infrastructure,DC=domain,DC=ForestRootDomain object SACL
12. Table 8-12: CN=Policies,CN=System,DC=domain,DC=ForestRootDomain Object SACL
13. Table 8-13: User Accounts and Security Groups to Which the SDPROP Mechanism Is Applicable
14. Table 8-14: CN=AdminSDHolder,CN=System,DC=domain, DC=ForestRootDomain Object SACL
15. Table 8-15: CN=RID Manager$,CN=System,DC=domain,DC=ForestRootDomain Object SACL
16. Table 8-16: Active Directory Value Syntax OIDs
17. Table 8-17: Active Directory Successful Operations Auditing Methods
18. Table 8-18: Active Directory Property Sets
Chapter 9
1. Table 9-1: 4776 Event Error Codes
2. Table 9-2: Secure Channel Types
3. Table 9-3: Kerberos TGT and TGS Tickets Encryption Types
4. Table 9-4: Kerberos TGT Tickets Pre-Authentication Types
5. Table 9-5: Event 4771 Failure Codes
Chapter 10
1. Table 10-1: Event 1074 Parameters.
2. Table 10-2: Events to Monitor for System Startup/Shutdown
3. Table 10-3: Security Principals with the SeTimeZonePrivilege User Right
4. Table 10-4: Events to Monitor to Detect System Time Changes
5. Table 10-5: Service Control Manager Access Permissions.
6. Table 10-6: Parameters for the 7036 Event
7. Table 10-7: System Services Operations Events
8. Table 10-8: Security Event Log Operations Events
9. Table 10-9: Pre-defined Values for [O:owner] SDDL Parameter.
10. Table 10-10: Auditing Categories and Subcategories IDs and GUIDs.
11. Table 10-11: Security Events for Changes in Auditing Subsystem Settings
12. Table 10-12: Security Events for Per-User Auditing Operations
13. Table 10-13: Security Events for Scheduled Tasks
14. Table 10-14: Security Events for Boot Configuration Data
15. Table 10-15: Changes to BCD Settings That Should Be Monitored
Chapter 11
1. Table 11-1: Logon Rights and Related Logon Types
2. Table 11-2: Special User Privileges
Chapter 12
1. Table 12-1: Most Common Application Uninstall Items
2. Table 12-2: Standard Windows 10 and Windows Server 2016 Processes
3. Table 12-3: Windows Process Integrity Labels
4. Table 12-4: Sensitive Privileges Verified by UAC
5. Table 12-5: Windows Process Token Types
6. Table 12-6: The Most Common Exit Status Field Values for the 4689 Event
7. Table 12-7: Status Codes for WEF Reports
8. Table 12-8: AppLocker Events Generated by Different Rule Types
9. Table 12-9: AppLocker System Path Variables
10. Table 12-10: Process Access Rights
Chapter 13
1. Table 13-1: FAT16 Compared to FAT32
2. Table 13-2: DACL ACE Scope
3. Table 13-3: File/Folder Permissions
4. Table 13-4: Filesystem Object Access Permissions
5. Table 13-5: Filesystem Object Access Reasons
6. Table 13-6: Recommended File-System Events to Monitor
Chapter 14
1. Table 14-1: Default Registry Keys and Hives
2. Table 14-2: Registry Key Permissions
3. Table 14-3: Registry Key Value Types
4. Table 14-4: Registry Key Value Operations
5. Table 14-5: Recommended Registry Events to Monitor
Chapter 15
1. Table 15-1: Network Share Parameters
2. Table 15-2: File Share Types
3. Table 15-3: Default Network Shares
4. Table 15-4: Additional File Share Parameters
5. Table 15-5: File Share Permissions
Appendix A
1. Table A-1: Kerberos Ticket Flags
Appendix B
1. Table B-1: Kerberos Error Codes
Appendix C
1. Table C-1: Generic Access Rights
2. Table C-2: Standard Access Rights
3. Table C-3: Directory Service Object Access Rights
4. Table C-4: Filesystem Object Access Rights
5. Table C-5: Registry Object Access Rights
6. Table C-6: Access Rights for a Process
7. Table C-7: Access Rights for the Service Control Manager (SCM)
8. Table C-8: Access Rights for a Service
9. Table C-9: Access Rights for Job Object

List of Illustrations

Chapter 2
1. Figure 2-1: Legacy auditing group policy settings
2. Figure 2-2: Advanced audit group policy settings
3. Figure 2-3: Listing auditing categories and subcategories GUIDs using the auditpol command-line tool
4. Figure 2-4: Audit.csv file content example
5. Figure 2-5: Windows Server 2016 CrashOnAuditFail blue screen
6. Figure 2-6: Event Viewer security event log settings
7. Figure 2-7: View current security event log access rights using the wevtutil tool
8. Figure 2-8: Auditing subsystem policy flow
9. Figure 2-9: Auditing subsystem event flow
10. Figure 2-10: Windows Server 2016 event Providers list example
Chapter 3
1. Figure 3-1: NTLM credential validation for a domain user account
2. Figure 3-2: NTLM credential validation for a local user account
3. Figure 3-3: Kerberos AS_REQ request
Chapter 4
1. Figure 4-1: Windows interactive logon flow for local user account
2. Figure 4-2: Windows 10 Credential Providers
3. Figure 4-3: LogonSessions tool output example
4. Figure 4-4: Windows interactive logon flow for domain user accounts
5. Figure 4-5: Internet Explorer basic authentication logon dialog window
6. Figure 4-6: IIS basic authentication request traffic capture example
7. Figure 4-7: Default ANONYMOUS LOGON logon session
8. Figure 4-8: “Network security: Allow Local System to use computer identity for NTLM” group policy setting
Chapter 5
1. Figure 5-1: User account creation using the Computer Management snap-in
2. Figure 5-2: Local user account properties
3. Figure 5-3: Security Account Manager database registry view.
4. Figure 5-4: Local user account SID extraction using PowerShell
5. Figure 5-5: Account lockout group policy settings
6. Figure 5-6: Empty 4738 event
Chapter 6
1. Figure 6-1: Local security groups in Security Account Manager database
2. Figure 6-2: The Computer Management snap-in showing local security groups
3. Figure 6-3: Component services security settings
4. Figure 6-4: Group membership enumeration event and group properties window in the Computer Manager console.
Chapter 7
1. Figure 7-1: Active Directory TDOs location
2. Figure 7-2: Active Directory trust directions
3. Figure 7-3: Active Directory TDO Kerberos AES encryption supportability option
4. Figure 7-4: Password migration option in ADMT
Chapter 8
1. Figure 8-1: Active Directory schema partition view in adsiedit.msc
2. Figure 8-2: Active Directory user account SACL example
3. Figure 8-3: Active Directory SACL ACE example
4. Figure 8-4: Child object creation and deletion permissions example for a user account
5. Figure 8-5: Active Directory Extended-Rights container
6. Figure 8-6: User's account extended rights
7. Figure 8-7: Dssec.dat file configuration items for the user class
8. Figure 8-8: CN=Deleted Objects content view using ldp.exe tool
9. Figure 8-9: Search for Active Directory object by schemaIDGUID attribute value
10. Figure 8-10: Search for Active Directory property set associated properties
Chapter 9
1. Figure 9-1: Challenge-response for authentication using a local account on the destination host
2. Figure 9-2: SAM registry key for user accounts
3. Figure 9-3: LM hash generation process
4. Figure 9-4: LM challenge-response string generation process
5. Figure 9-5: NTLM hash-generation process
6. Figure 9-6: NTLMv2 OWF generation process
7. Figure 9-7: NTv2 Response string generation process
8. Figure 9-8: LMv2 response string generation process
9. Figure 9-9: NTLMv2 Session Response generation process
10. Figure 9-10: Challenge-response for authentication using a local account on the destination host
11. Figure 9-11: Challenge-response for domain accounts
12. Figure 9-12: Cross-domain NTLM-family challenge-response
13. Figure 9-13: Kerberos TGT issuing process
14. Figure 9-14: Klist tgt command output example
15. Figure 9-15: Kerberos TGS ticket issuing process
Chapter 10
1. Figure 10-1: System service properties.
Chapter 12
1. Figure 12-1: Windows Server 2016 software manager
2. Figure 12-2: Windows software manager application uninstall item
3. Figure 12-3: Registry auditing settings for new program installation monitoring
4. Figure 12-4: Registry auditing settings for application removal monitoring
5. Figure 12-5: NTFS auditing settings for application removal monitoring in Program Files folders
6. Figure 12-6: NTFS auditing settings for unsuccessful Execute access attempts
7. Figure 12-7: Win32 FileTime object conversion using the FromFileTime() function
8. Figure 12-8: Problem Reports page in the Control Panel
9. Figure 12-9: AppLocker enforcement mode configuration interface
10. Figure 12-10: Process Explorer DACL modification interface
Chapter 13
1. Figure 13-1: Windows filesystem object security descriptor editor
2. Figure 13-2: Filesystem object's DACL ACE
3. Figure 13-3: Block inheritance dialog window
4. Figure 13-4: Directory's auditing settings (SACL)
5. Figure 13-5: Disk volume label translation using the WinObj tool
6. Figure 13-6: View Global Object Access Auditing settings for files and folders using the auditpol.exe command
7. Figure 13-7: Example of icacls tool
Chapter 14
1. Figure 14-1: Viewing Windows registry using Windows Registry Editor
2. Figure 14-2: Registry key DACL ACE
3. Figure 14-3: View Global Object Access Auditing settings for registry keys using auditpol.exe command
4. Figure 14-4: Regil output for registry key integrity level
Chapter 15
1. Figure 15-1: Network shares list
2. Figure 15-2: Shared Folders management snap-in
3. Figure 15-3: File share session negotiation steps
4. Figure 15-4: List of currently active named pipes by pipelist64.exe tool
5. Figure 15-5: Pipesec.exe tool output for the lsass named pipe

Pages

C1
iii
iv
v
vii
ix
xi
xxix
xxx
xxxi
xxxii
xxxiii
1
3
4
5
6
7
8
9
11
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
81
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
589
590
591
592
593
594
595
596
597
598
599
600
601
E1

Windows® Security Monitoring: Scenarios and Patterns

Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com

Published simultaneously in Canada

ISBN: 978-1-119-39064-0

ISBN: 978-1-119-39089-3 (ebk)

ISBN: 978-1-119-39087-9 (ebk)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2017962214

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows is a registered trademark of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Introduction

In this book I share my experience and the results of my research about the Microsoft Windows security auditing subsystem and event patterns. This book covers the Windows Security auditing subsystem and event logs for Windows systems starting from Windows 7 through the most recent Windows 10 and Windows Server 2016 versions.

Many IT Security/Infrastructure professionals understand that they should know what is going on in their company's infrastructure—for example, is someone using privileged accounts during nonworking hours or trying to get access to resources he or she shouldn't have access to? Looking for activities like these is critical to all organizations. To help with this, this book provides technical details about the most common event patterns for Microsoft Windows operating systems. It is a great source of information for building new detection methods and improving a company's Security Logging and Monitoring policy.

The primary goal of this book is to explain Windows security monitoring scenarios and patterns in as much detail as possible. A basic understanding of Microsoft Active Directory Services and Microsoft Windows operational systems will be helpful as you read through the book.

The following areas are covered:

Implementation of the Security Logging and Monitoring policy
Technical details about the Windows security event log subsystem
Information about most common monitoring event patterns related to operations and changes in Microsoft Windows operating systems

The following software and technologies are covered:

Microsoft Windows security event logs
Microsoft Windows security auditing subsystem
Microsoft Windows Active Directory Services
Microsoft AppLocker
Microsoft Windows event logs (Application, System, NTLM, and others)
Microsoft Windows 7, 8, 8.1, 10
Microsoft Windows Server 2008 R2, 2012, 2012 R2, 2016
Microsoft PowerShell
Microsoft Windows Sysinternals tools
Third-party tools

You will find detailed explanations for many event patterns, scenarios, technologies, and methods, and it is my hope that you will find that you've learned a lot, and will start using this book every day. This book is intended as a reference that you will return to many times in your career.

Who This Book Is For

This book is best suited for IT security professionals and IT system administrators. It will be most valuable for IT security monitoring teams, incident response teams, data analytics teams, and threat intelligence experts.

The best way to use this book is as a reference and source of detailed information for specific Windows auditing scenarios.

What This Book Covers

One of the main goals of this book is to help you create a Security Logging and Monitoring (SL&M) standard for your company. At the beginning of the book I cover what this standard is about, which sections it has, and discuss best practices for creating this document.

Before jumping into the world of event logs, you need to understand how the Windows Auditing Subsystem works and which components and settings belong to this system. I cover security best practices for the Windows security auditing subsystem, its components, and internal data flows.

There are multiple event logs in Windows systems besides the Security log, and many of these logs contain very useful information. It's important to know which subsystems have which event logs, the purpose of these event logs, and the type of information collected in these logs. This information is also present in this book.

I think the most interesting part of the book deals with security monitoring scenarios and patterns. Based on these scenarios, security managers, analysts, engineers, and administrators will be able to improve security monitoring policies and build new or improve existing detection methods.

How This Book Is Structured

This book consists of 15 chapters and three appendixes. The first three chapters cover general information about the Windows auditing subsystem and security monitoring policy. The remaining chapters go deeper in to different monitoring scenarios and event patterns.

Chapter by chapter, this book covers:

Windows Security Logging and Monitoring Policy (Chapter 1)—This chapter guides you through the sections of the Security Logging and Monitoring (SL&M) standard and provides the basic information you need to create your own version of it.
Auditing Subsystem Architecture (Chapter 2)—In this chapter you will find information about Legacy Auditing and Advanced Auditing settings, Windows auditing group policy settings, auditing subsystem architecture, and security event structure.
Auditing Subcategories and Recommendations (Chapter 3)—In this chapter you will find descriptions for each Advanced Auditing subcategory and recommended settings for domain controllers, member servers, and workstations.
Account Logon (Chapter 4)—This chapter contains information about Windows logon types and the events generated during each of them.
Local User Accounts (Chapter 5)—In this chapter you will find information about different built-in local user accounts on Microsoft Windows operating systems and specific monitoring scenarios for the most important operations/changes done to local user accounts.
Local Security Groups (Chapter 6)—In this chapter you will learn about different scenarios related to local security groups, such as security group creation, deletion, and modification, and so on.
Microsoft Active Directory (Chapter 7)—In this chapter you will find information about the most common monitoring scenarios for Active Directory, such as user or computer account creation, operations with groups, operations with trusts, and so on.
Active Directory Objects (Chapter 8)—This chapter contains detailed information about monitoring Active Directory changes and operations with objects, such as group policy creation, organization unit modification, and so on.
Authentication Protocols (Chapter 9)—In this chapter you will find information about how the LM, NTLM, NTLMv2, and Kerberos protocols work and how to monitor the most common scenarios involving these protocols.
Operating System Events (Chapter 10)—This chapter contains information about the different system events that might indicate malicious activity performed on the system.
Logon Rights and User Privileges (Chapter 11)—In this chapter you will find detailed information about how to monitor logon rights and user privileges policy changes, user privileges use, and use of backup and restore privileges.
Windows Applications (Chapter 12)—It is important to monitor the use of applications on the host, activities such as application installation, removal, execution, application crushes, application block events by the AppLocker component, and so on. In this chapter you will find detailed information about monitoring these scenarios and more.
Filesystem and Removable Storage (Chapter 13)—This chapter is probably one of the most interesting chapters in the book, because it covers some of the most common questions you'll have or hear during incident investigation procedures: Who deleted the file? Who created the file? How this file was accessed? Using which tool/application?
Some of these questions are easy to answer, but some of them are not. In this chapter you will find information about monitoring recommendations for the most common scenarios related to Windows filesystem and removable storage objects.
Windows Registry (Chapter 14)—This chapter contains information about Windows registry operations and monitoring scenarios.
Network File Shares and Named Pipes (Chapter 15)—In this chapter you will find information about monitoring scenarios for actions related to network file shares and named pipes.

What You Need to Use This Book

This book requires that you have Windows 10 (build 1511 or higher) installed to open the .evtx files included in this book's download materials.

Conventions

To help you get the most from the text and keep track of what's happening, we've used a number of conventions throughout the book.

As for styles in the text:

We italicize new terms and important words when we introduce them.
We show keyboard strokes like this: Ctrl+A.
We show filenames, URLs, and code within the text like so: persistence.properties.

We present code and event listings in two different ways:

We use a monofont type with no highlighting for most code and event examples.
We use bold type to emphasize code or events of particularly importance in the present context.

What's on the Website

All of the event examples used in this book are available for download at www.wiley.com/go/winsecuritymonitoring as .evtx files. These files can be opened by the built-in Windows 10 or Windows Server 2016 Event Viewer application. You will find references to these event log files in each section of every chapter that has event samples in it.

CHAPTER 1
Windows Security Logging and Monitoring Policy

The purpose of the Security Logging and Monitoring (SL&M) policy is to ensure the confidentiality, integrity, and availability of information by specifying the minimum requirements for security logging and monitoring of company systems.

It is recommended to have such a policy defined and published in order to standardize security logging and monitoring requirements.

This chapter guides you through the sections of the SL&M policy and provides basic information for creating your own version.

Security Logging

This section outlines the requirements for what needs to be logged and how logs need to be managed.

Security logs provide vital information about system events that may, when correlated with other events or used independently, indicate a breach or misuse of resources. When configured and managed properly, logs are key in establishing accountability and attribution for any event. They provide answers to the critical questions about security events: who is involved, what happened, when and where it happened, and how it happened.

Companies should ensure that information passing through their systems, including user activities such as web sites visited and servers accessed, is logged, reviewed, and otherwise utilized.

Implementing the recommendations in this section can mitigate the risk of an attacker's activities going unnoticed and enhance a company's ability to conclude whether an attack led to a breach.

Security Logs

Information systems should enable and implement logging, also referred to as audit logging. Activities that should be logged may include the following:

All successful and unsuccessful logon attempts
Additions, deletions, and modifications of local and domain accounts/privileges
Users switching accounts during an active session
Attempts to clear audit logs
Activity performed by privileged accounts, including modifications to system settings
Access to restricted data additions, deletions, and modifications to security/audit log parameters
User account management activities
System shutdown/reboot
System errors
New system service creation
Application shutdown/restart
Application errors/crashes
Process creation/termination
Registry modification(s)
Local security policy modifications
GPO-based security policy modifications
Use of administrator privileges
File access
Critical process manipulation (LSASS.exe)
System corruption (for example, audit pipeline failure, LPC impersonation, and so on)

All of these items are discussed in more detail in this book.

You should also think about where and how to store system events that are used to detect system attack attempts. These events also represent evidence for incident follow-up.

System Requirements

Here are the basic requirements for monitoring an information system. An information system should:

Initiate session audits at system start-up. It should provide the capability to log all events related to an account's sessions, and the capability to remotely access these events.
Utilize methods to ensure auditing services continue to run or restart in the event of a system failure or unexpected stop.
Provide an alternate audit capability in the event of a failure in primary audit capability.
Employ methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
Preserve the identity of individuals in case of cross-organizational audit trails.

PII and PHI

Information systems handling Personally Identifiable Information (PII) and Protected Health Information (PHI) should also log the following information about the data:

Information type
Date
- Date when operation with the data has been performed
Time
- Time when operation with the data has been performed
Identities of the receiving party
Identities of the releasing party

Availability and Protection

Logging should be active at all times and protected from unauthorized access, modification, and accidental or deliberate destruction on all company information resources.

Configuration Changes

Company employees should not disable audit logs or make system configuration changes that conflict with approved baselines or services without prior authorization from the internal information security team. All changes must create auditable events themselves for tracking purposes.

Secure Storage

Logs should be stored in such a way that they cannot be tampered with, or that tampering can be detected and corrected. You cannot trust the log if you do not control the log's integrity.

Access to view the logs should be limited to only those staff members with a job responsibility to analyze the log data. This requirement applies to local logs as well as centralized storage.

Security log storage should have adequate capacity and mechanisms to recycle logs, ensuring that logs will not exhaust the available storage space in an unreasonable amount of time.

Centralized Collection

The company's information security team should provide for the central collection of security logs from systems throughout the environment.

The centralized log collection and analysis tool should meet the following requirements:

The log management infrastructure (central log collection system) should have built-in resilience to ensure high availability.
Monitoring controls should be implemented to ensure that the log management infrastructure (central log collection system and agent or agentless host/devices) is available at all times, and any issues that impact the logging infrastructure must generate an alert for the operational security team to review and respond.
Security logs should be protected both in transit and at rest with approved secure transmission protocol and encryption technologies.

Centralized logging servers should be considered critical assets and be protected in accordance with corporate standards for confidential information. Systems that cannot be configured to log to a centralized or consolidated log system should have appropriate access controls for access to log data.

These requirements can be achieved using the built-in Windows Event Forwarding (WEF) feature, which is included in all Windows operating systems starting from Windows XP SP2 and Windows Server 2003 SP1. WEF is out of scope for this book, but there is a lot of information about this feature on the Internet.

Backup and Retention

An event log retention policy should be defined for both local and centralized collection storage. For example, the company should retain security logs for at least 30 days short term in the Security Information and Event Manager (SIEM) and 90 days long term in the long-term storage. Company policy, and legal and regulatory requirements, should be taken into consideration when defining the policy.

Chapter 2 contains detailed information about the Microsoft Windows auditing subsystem's group policy settings, which allow you to specify security event log maximum size, retention policy, event log file location, and so on.

Periodic Review

Security analysts should regularly review and analyze the collected logs according to a documented and approved schedule to ensure relevancy and adequacy of collected information. Out of date, deprecated, redundant, or superfluous logs should be removed from the central collection system to ensure positive system performance and to reduce the occurrence of false positives.

Security Monitoring

This section describes what needs to be monitored. It includes requirements for monitoring of logs, intrusion detection systems, and internal communications, as well as mandates for performance review of monitoring systems.

Implementing the recommendations in this section reduces the risk of failure to monitor for security events. Such failure can result in unsuccessful detection or slowed reaction to potential intrusions or misuse of corporate systems.

Companies should implement security monitoring processes and technologies to ensure timely detection and response to security events.

Security logs collected from disparate information systems must be aggregated and analyzed in a timely manner to quickly detect possible unauthorized user activities, misuse, compromise, or attack.

Standard operating procedures should be established and followed by the Security Operations staff to perform analysis and detection activities including, but not limited to, the following:

Perform monitoring of company's systems for incidents
Identify and document incidents as they occur
Classify incidents into common incident categories, accounting for the fact that some incidents may fit into more than one category
Analyze and prioritize incidents based on criticality and severity
Notify appropriate parties (internal or external)

Communications

Electronic communication and all content, voicemail, and any other data of any kind stored or transmitted by company-owned or leased equipment, is the property of the company, and the company may access, monitor, intercept, and/or retain this data at any time without further notice.

Internal communications monitoring should include e-mail, tracking the websites that personnel visit, monitoring internal chat groups, social networks and newsgroups, reviewing material downloaded or uploaded, and voice communications.

Audit Tool and Technologies

Security monitoring and auditing tools and technologies (for example, intrusion detection systems, network scanning tools, and so on) should be deployed and used to monitor company assets. Without proper automation, security monitoring may be a really hard task.

Network Intrusion Detection Systems

Network-based Intrusion Detection Systems (NIDS) are designed to provide monitoring and support of network intrusion detection across a variety of platforms and technologies and should not be used for any other purpose.

The department charged with ensuring information security should be responsible for approving all Network Intrusion Detection Systems for use on managed networks and systems.

Host-based Intrusion Detection Systems

Host-based Intrusion Detection System (HIDS) should be capable of performing file integrity monitoring for critical content files, system files, and configurations, and alerting when attempts to modify the system are detected.

Host-based intrusion detection capabilities should be deployed on all the information resources where sensitive data is stored and potential for damage is high.

HIDS should be configured to perform file integrity comparisons to known good versions on a regular schedule.

Data fields logged by host-based IDS may include the following:

Timestamp (date and time)
Event or alert type
Rating (priority, severity, impact, confidence, and so on)
Event details specific to the type of event (IP address, port information, application information, filenames and paths, and user accounts)

System Reviews

The department charged with ensuring for information security should perform periodic reviews to ensure the company's monitoring systems are successful in detecting unauthorized attempts to access information resources.

Reporting

Any computer security event deemed suspicious or malicious and critical or high priority should be reported immediately with all relevant details and logs.

Windows® Security Monitoring

Scenarios and Patterns

About the Author

About the Technical Editor

Credits

Acknowledgments