Windows User Account event logs are critical in helping us view and understand if password attacks are taking place. With this enabled, you can view the number of password authentication attempts and take appropriate action. You will also be able to view other user account events, such as the creation and deletion of users, successful and failed attempts to change a user’s password, and other useful information.
Note: Windows User Account event logs may contain sensitive information such as passwords. This information will be sent to Alert Logic, where it can be found by your users in plain text via log search.
Configure Windows User Account Event Logging
- Open Command Prompt, type gpedit, and press the Enter/Return key. This will open the Local Group Policy Editor.
Note: This must be done on a Domain Controller unless the Server is a standalone.
- On the left-hand side of the Local Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object.
- Double-click the following Local Group Policy Objects (in bold) and enable their subcategories listed.
Note: Ensure that Success and Failure are enabled for each.
Account Logon-
Audit Credential Validation
-
Audit Kerberos Authentication Service
-
Audit Kerberos Service Ticket Operations
-
Audit Other Account Logon Events
Account Management
-
Audit Application Group Management
-
Audit Computer Account Management
-
Audit Distribution Group Management
-
Audit Other Account Management Events
-
Audit Security Group Management
-
Audit User Account Management
Logon/Logoff
-
Audit Account Lockout
-
Audit User / Device Claims
-
Audit Group Membership
-
Audit IPsec Extended Mode
-
Audit Logoff
-
Audit Logon
-
Audit Other Logon/Logoff Events
-
Audit Special Logon
-
-
Open Command Prompt, type gpupdate /force, and press the Enter/Return key.
Validate Using Alert Logic Log Search
The following is an Alert Logic search query for the presence of Windows User Events and other ransomware-related log types:
SELECT
coalesce([asset.dict.asset.host.name, metadata.dict.dict.local_hostname, parsed.token_names.header.addr.host_name]) as hostname, metadata.dict.dict.local_ipv4, metadata.dict.dict.host_type,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) in ['4624', '4625'], 1, 0)) as num_login_events,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) in ['4723', '4724', '4725', '4726', '4720', '4738'], 1, 0)) as user_account_events,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) in ['4100', '4101', '4102', '4103', '400', '500', '501'], 1, 0)) as powershell_logs,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) = '4104', 1, 0)) as powershell_script_block_log,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) = '4688', 1, 0)) as process_logs,
SUM(IF(not parsed.token_names.action.command = '' and Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) = '4688', 1, 0)) as process_logs_with_cmd_line_args
FROM logmsgs
WHERE
(
parsed.token_names.log_information.win_log.win_event.win_event_code in ['4624', '4625','4723', '4724', '4725', '4726', '4720', '4738', '4100', '4101', '4102', '4103', '400', '500', '501', '4104', '4688']
or
parsed.token_names.event.event_id in ['4624', '4625','4723', '4724', '4725', '4726', '4720', '4738', '4100', '4101', '4102', '4103', '400', '500', '501', '4104', '4688']
)
group by hostname, metadata.dict.dict.local_ipv4, metadata.dict.dict.host_type
Comments
0 comments
Please sign in to leave a comment.