Windows Object Access logs give Alert Logic insight into who read, modified, deleted, or created files, which is extremely useful when dealing with ransomware incidents.
Note: Enabling Windows Object Access logging can be quite noisy. If that is the case for your logs, only enable Success and Failure on Audit File System and Audit Registry.
Configure Windows Object Access Logging
- Open Command Prompt, type gpedit, and press the Enter/Return key. This will open the Local Group Policy Editor.
Note: This must be done on a Domain Controller unless the Server is a standalone. - On the left-hand side of the Local Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.
- Double-click each of the subcategories and enable Success and Failure for each.
- Open Command Prompt, type gpupdate /force, and press the Enter/Return key.
Validate Using Alert Logic Log Search
The following is an Alert Logic search query for the presence of Windows Object Access logs and other ransomware-related log types:
SELECT
time_recv AS "Time Received",
message AS "Message",
parsed.rule_name AS "Message Type"
FROM logmsgs
WHERE EXISTS( "Message" )
AND "Message Type" = 'Windows Successful Object Access'
ORDER BY "Time Received" DESC
LIMIT 1000
Comments
0 comments
Please sign in to leave a comment.