LogRhythm US What's New Windows 10 Security Log Whitepaper 2015 Randy Franklin Smith January 2016 Scoping User Privileges After a system is compromised, the first action of a threat actor is to assess the current state of access by determining whether the breached user is privileged and if it is not, they will search for other accounts with higher privileges on the compromised machine. This kind of information potentially allows the threat actor to target those users via pass-the-hash attacks. Event 4798: To Which Groups Does This User Belong? When a user’s local group memberships are enumerated, Windows 10 now generates event ID 4798, as shown in the following figure. This event documents the enumeration, which user was enumerated, the user who requested the enumeration, and which process was used to perform the enumeration. Seeing an enumeration performed by any account other than the domain admin (which might be modifying local memberships) or via any process other than MMC.exe (such as via a NET LOCAL command) might indicate inappropriate activity. These details can help a Security Information and Event Management (SIEM) solution properly filter out approved activity. To generate this detailed event, you need to enable the Audit User Account Management policy. You should enable this policy on all endpoints, including domain controllers. On domain controllers, this audit policy tracks the enumeration of domain user accounts, whereas member servers and Windows 10 clients track the enumeration of local user accounts. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 3 Randy Franklin Smith January 2016 Event 4799: Who Are Members of This Local Group? In another spin on the same attack vector, a threat actor starts with a known local group (such as the local Administrators group) and works to figure out who is in that group by enumerating its members (instead of starting with a user and enumerating the groups to which that user belongs). When local groups are enumerated, Windows 10 can be configured to generate event 4799, which documents the enumerated group, the user that requested the enumeration, and the process name that was used to perform the enumeration. This event requires you to enable generation of the Audit Security Group Management policy. LogRhythm MDI Insight Using dynamic baselining, focus on the responsible process—typically Microsoft Management Console (MMC). Use trending to identify what is “normal” in your environment and to notify you when a new process is responsible for causing this event. Even if the appropriate process changes in the next version of Windows, the beauty of dynamic baselining is that IT gets a notification the first time the responsible process changes, at which time IT can determine whether action is required. That new process then becomes part of the baseline, eliminating multiple false positives. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 4 Please complete the form to gain access to this content Email * First name * Last Name * Access Now
Randy Franklin Smith January 2016 Scoping User Privileges After a system is compromised, the first action of a threat actor is to assess the current state of access by determining whether the breached user is privileged and if it is not, they will search for other accounts with higher privileges on the compromised machine. This kind of information potentially allows the threat actor to target those users via pass-the-hash attacks. Event 4798: To Which Groups Does This User Belong? When a user’s local group memberships are enumerated, Windows 10 now generates event ID 4798, as shown in the following figure. This event documents the enumeration, which user was enumerated, the user who requested the enumeration, and which process was used to perform the enumeration. Seeing an enumeration performed by any account other than the domain admin (which might be modifying local memberships) or via any process other than MMC.exe (such as via a NET LOCAL command) might indicate inappropriate activity. These details can help a Security Information and Event Management (SIEM) solution properly filter out approved activity. To generate this detailed event, you need to enable the Audit User Account Management policy. You should enable this policy on all endpoints, including domain controllers. On domain controllers, this audit policy tracks the enumeration of domain user accounts, whereas member servers and Windows 10 clients track the enumeration of local user accounts. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 3 Randy Franklin Smith January 2016 Event 4799: Who Are Members of This Local Group? In another spin on the same attack vector, a threat actor starts with a known local group (such as the local Administrators group) and works to figure out who is in that group by enumerating its members (instead of starting with a user and enumerating the groups to which that user belongs). When local groups are enumerated, Windows 10 can be configured to generate event 4799, which documents the enumerated group, the user that requested the enumeration, and the process name that was used to perform the enumeration. This event requires you to enable generation of the Audit Security Group Management policy. LogRhythm MDI Insight Using dynamic baselining, focus on the responsible process—typically Microsoft Management Console (MMC). Use trending to identify what is “normal” in your environment and to notify you when a new process is responsible for causing this event. Even if the appropriate process changes in the next version of Windows, the beauty of dynamic baselining is that IT gets a notification the first time the responsible process changes, at which time IT can determine whether action is required. That new process then becomes part of the baseline, eliminating multiple false positives. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 4
Related Resources LogRhythm US Forrester Security Analytics Platform Wave Report ... Read more LogRhythm US Mis-behaving: the Evolution of the Insider Threat ... Read more LogRhythm US LogRhythm UEBA Overview 2018 Read more LogRhythm US SANS Reviews LogRhythm CloudAI for UEBA Read more LogRhythm US 2018 Cybersecurity: Perceptions and Practices Benc... Read more LogRhythm US SANS LogRhythm Review - Speed and Scalability Matt... Read more LogRhythm US Gartner Market Guide for UEBA (2018) Read more LogRhythm US How to Deploy a SIEM Successfully by Gartner Read more LogRhythm US Automation Suite for NIST 800-53 Compliance Read more LogRhythm US Gartner Names LogRhythm a leader in 2017 Magic Qua... Read more LogRhythm US LogRhythm How to Build a SOC With Limited Resource... Read more LogRhythm US Forrester Wave: Security Analytics Platforms, Q1 2... Read more LogRhythm US UBM Building and Instrumenting the Next Generation... Read more LogRhythm US LogRhythm Security Intelligence and Analytics in t... Read more LogRhythm US LogRhythm Ransomware Infographic 2016* Read more LogRhythm US UWS | Anatomy of a Hack Disrupt Whitepaper 2016 Read more LogRhythm US Security Current CISOs Investigate User Behavior A... Read more LogRhythm US CyberEdge Defense Report Whitepaper 2016* Read more LogRhythm US LogRhythm OilRig Malware Campaign Whitepaper 2017 Read more LogRhythm US LogRhythm Ransomware Threat Whitepaper 2016 Read more LogRhythm US LogRhythm Threat Lifecycle Management Whitepaper 2... Read more Load more
© 2024 Infotech Crowd. All rights reserved. Privacy Policy Cookies Policy Advertise with us Back to top