Preparing Windows logging
Author: Stefan Waldvogel
Activate advanced logging (PowerShell) on Windows
DeepBlueCLI and other EDRs/SIEMs needs the right windows log files to work. Windows 10 does not log all events by default and therefore a hacker can do a lot of things under the radar. For our training, we enable three additional events. We can look for:
Activating command-line auditing
To take full advantage of this feature, administrators must follow these steps:
- Event 4688 (command line auditing)
- Event 4625 (login failure)
- PowerShell auditing (event 4103 and 4104)
Activating command-line auditing
To take full advantage of this feature, administrators must follow these steps:
- Enable the Audit Process Creation policy.
- Enable the "Include command line in process creation events" feature.
To activate the setting, we have to find the right key first. Windows is constantly changing. On my test system, you find the "Audit Process Creation" key here:
To get a useful or wanted log output, we have to change the setting to
|
|
Now, we have to include the command line and change this setting.
Change the setting to "enabled".
|
If it works, we can see a ton of new events. If you do this in a productive environment, think about the amount of log files.
|
The description gives us more details about this feature. Now we can look for event id 4588 and we get more details.
Activate Failed logons
Nex, we want to enable logon events. You can find the settings here:
Activate Failed logons
Nex, we want to enable logon events. You can find the settings here:
|
Change the following settings.
|
Powershell logging
DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104).
Here is a great article about this topic: www.blackhillsinfosec.com/powershell-logging-blue-team/
Logging must be configured through Group Policy as follows:
Computer Configuration -> Administrative Templates → Windows Components → Windows PowerShell
We have to turn on: Module Logging, Script Block Logging (and Transcription).
DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104).
Here is a great article about this topic: www.blackhillsinfosec.com/powershell-logging-blue-team/
Logging must be configured through Group Policy as follows:
Computer Configuration -> Administrative Templates → Windows Components → Windows PowerShell
We have to turn on: Module Logging, Script Block Logging (and Transcription).
Configure all options and enable them:
|
|
|
Now, we can use DeepBlueCLI and other tool and we get the wanted result.
Hint:
Installing tools is nice, but some need additional prerequisites. If we do not fulfill them, the tool works, but an attacker cannot be detected.
Alternative way via Powershell commands:
Enabling logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1
Store Transcriptions
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item -ItemType Directory C:\PSHTranscripts
Manual request for the first 50 events:
Get-WinEvent -MaxEvents 50 -LogName 'Microsoft-Windows-PowerShell/Operational' -FilterXPath '*/*/EventID=4103' | Where-Object -Property Message -Match 'dll' | Format-List
Preparing Sysmon
Download link: docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon is a Windows system service and device driver that, monitor and log system activity to the Windows event log.
Download Sysmon:
Hint:
Installing tools is nice, but some need additional prerequisites. If we do not fulfill them, the tool works, but an attacker cannot be detected.
Alternative way via Powershell commands:
Enabling logging
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -Name EnableModuleLogging -PropertyType DWORD -Value 1
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames -Name '*' -PropertyType String -Value '*'
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name ScriptBlockLogging -PropertyType DWORD -Value 1
Store Transcriptions
New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableTranscripting -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name EnableInvocationHeader -PropertyType DWORD -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription -Name OutputDirectory -PropertyType String -Value C:\PSHTranscripts
New-Item -ItemType Directory C:\PSHTranscripts
Manual request for the first 50 events:
Get-WinEvent -MaxEvents 50 -LogName 'Microsoft-Windows-PowerShell/Operational' -FilterXPath '*/*/EventID=4103' | Where-Object -Property Message -Match 'dll' | Format-List
Preparing Sysmon
Download link: docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon is a Windows system service and device driver that, monitor and log system activity to the Windows event log.
Download Sysmon:
Unzip it to a wanted folder. I use tools.
Start the Command Prompt (cmd) with administrator rights and execute the following command:
sysmon64 -accepteula -i
sysmon64 -accepteula -i
Test if we have sysmon running:
Launch your Event Viewer and navigate to:
Application and Services Logs > Microsoft > Windows > Sysmon > Operational
Launch your Event Viewer and navigate to:
Application and Services Logs > Microsoft > Windows > Sysmon > Operational
There are some events, sysmon works.
More ideas:
To enhance threat detection capabilities, Defender for Identity needs the following Windows Events to be configured and collected by Defender for Identity:
For Active Directory Federation Services (AD FS) events
1202 - The Federation Service validated a new credential
1203 - The Federation Service failed to validate a new credential
4624 - An account was successfully logged on
4625 - An account failed to log on
For Other events
4662 - An operation was performed on an object
4726 - User Account Deleted
4728 - Member Added to Global Security Group
4729 - Member Removed from Global Security Group
4730 - Global Security Group Deleted
4732 - Member Added to Local Security Group
4733 - Member Removed from Local Security Group
4741 - Computer Account Added
4743 - Computer Account Deleted
4753 - Global Distribution Group Deleted
4756 - Member Added to Universal Security Group
4757 - Member Removed from Universal Security Group
4758 - Universal Security Group Deleted
4763 - Universal Distribution Group Deleted
4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
7045 - New Service Installed
8004 - NTLM Authentication
source: docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection
More ideas:
To enhance threat detection capabilities, Defender for Identity needs the following Windows Events to be configured and collected by Defender for Identity:
For Active Directory Federation Services (AD FS) events
1202 - The Federation Service validated a new credential
1203 - The Federation Service failed to validate a new credential
4624 - An account was successfully logged on
4625 - An account failed to log on
For Other events
4662 - An operation was performed on an object
4726 - User Account Deleted
4728 - Member Added to Global Security Group
4729 - Member Removed from Global Security Group
4730 - Global Security Group Deleted
4732 - Member Added to Local Security Group
4733 - Member Removed from Local Security Group
4741 - Computer Account Added
4743 - Computer Account Deleted
4753 - Global Distribution Group Deleted
4756 - Member Added to Universal Security Group
4757 - Member Removed from Universal Security Group
4758 - Universal Security Group Deleted
4763 - Universal Distribution Group Deleted
4776 - Domain Controller Attempted to Validate Credentials for an Account (NTLM)
7045 - New Service Installed
8004 - NTLM Authentication
source: docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection
© 2021. This work is licensed under a CC BY-SA 4.0 license