Windows Security Monitoring
Scenarios and Patterns

Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security

Written by a former Microsoft security program manager, DEFCON "Forensics CTF" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system?s event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario?based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.

This book is based on the author?s experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.

Learn to:

• Implement the Security Logging and Monitoring policy
• Dig into the Windows security auditing subsystem
• Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system

About the Author

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft?s Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.

Introduction xxix

Part I Introduction to Windows Security Monitoring 1

Chapter 1 Windows Security Logging and Monitoring Policy 3

Security Logging 3

Security Logs 4

System Requirements 5

PII and PHI 5

Availability and Protection 5

Configuration Changes 6

Secure Storage 6

Centralized Collection 6

Backup and Retention 7

Periodic Review 7

Security Monitoring 7

Communications 8

Audit Tool and Technologies 8

Network Intrusion Detection Systems 8

Host-based Intrusion Detection Systems 8

System Reviews 9

Reporting 9

Part II Windows Auditing Subsystem 11

Chapter 2 Auditing Subsystem Architecture 13

Legacy Auditing Settings 13

Advanced Auditing Settings 16

Set Advanced Audit Settings via Local Group Policy 18

Set Advanced Audit Settings via Domain Group Policy 19

Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database 19

Read Current LSA Policy Database Advanced Audit Policy Settings 20

Advanced Audit Policies Enforcement and Legacy Policies Rollback 20

Switch from Advanced Audit Settings to Legacy Settings 21

Switch from Legacy Audit Settings to Advanced Settings 22

Windows Auditing Group Policy Settings 22

Manage Auditing and Security Log 22

Generate Security Audits 23

Security Auditing Policy Security Descriptor 23

Group Policy: “Audit: Shut Down System Immediately If Unable to Log Security Audits” 24

Group Policy: Protected Event Logging 25

Group Policy: “Audit: Audit the Use of Backup and Restore Privilege” 25

Group Policy: “Audit: Audit the Access of Global System Objects” 26

Audit the Access of Global System Container Objects 26

Windows Event Log Service: Security Event Log Settings 27

Changing the Maximum Security Event Log File Size 28

Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size 29

Group Policy: Back Up Log Automatically When Full 29

Group Policy: Control the Location of the Log File 30

Security Event Log Security Descriptor 31

Guest and Anonymous Access to the Security Event Log 33

Windows Auditing Architecture 33

Windows Auditing Policy Flow 34

LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route 35

Windows Auditing Event Flow 36

LSASS.EXE Security Event Flow 37

NTOSKRNL.EXE Security Event Flow 37

Security Event Structure 38

Chapter 3 Auditing Subcategories and Recommendations 47

Account Logon 47

Audit Credential Validation 47

Audit Kerberos Authentication Service 50

Audit Kerberos Service Ticket Operations 53

Audit Other Account Logon Events 54

Account Management 54

Audit Application Group Management 54

Audit Computer Account Management 54

Audit Distribution Group Management 55

Audit Other Account Management Events 56

Audit Security Group Management 57

Audit User Account Management 57

Detailed Tracking 58

Audit DPAPI Activity 58

Audit PNP Activity 58

Audit Process Creation 58

Audit Process Termination 59

Audit RPC Events 59

DS Access 60

Audit Detailed Directory Service Replication 60

Audit Directory Service Access 60

Audit Directory Service Changes 61

Audit Directory Service Replication 61

Logon and Logoff 61

Audit Account Lockout 61

Audit User/Device Claims 62

Audit Group Membership 62

Audit IPsec Extended Mode/Audit IPsec Main Mode/ Audit IPsec Quick Mode 63

Audit Logoff 63

Audit Logon 64

Audit Network Policy Server 65

Audit Other Logon/Logoff Events 65

Audit Special Logon 66

Object Access 66

Audit Application Generated 67

Audit Certification Services 67

Audit Detailed File Share 67

Audit File Share 67

Audit File System 68

Audit Filtering Platform Connection 68

Audit Filtering Platform Packet Drop 69

Audit Handle Manipulation 69

Audit Kernel Object 70

Audit Other Object Access Events 71

Audit Registry 71

Audit Removable Storage 72

Audit SAM 72

Audit Central Policy Staging 73

Policy Change 73

Audit Policy Change 73

Audit Authentication Policy Change 74

Audit Authorization Policy Change 74

Audit Filtering Platform Policy Change 75

Audit MPSSVC Rule-Level Policy Change 75

Audit Other Policy Change Events 75

Privilege Use 76

Audit Non Sensitive Privilege Use 76

Audit Other Privilege Use Events 77

Audit Sensitive Privilege Use 77

System 77

Audit IPsec Driver 78

Audit Other System Events 78

Audit Security State Change 78

Audit Security System Extension 79

Audit System Integrity 79

Part III Security Monitoring Scenarios 81

Chapter 4 Account Logon 83

Interactive Logon 85

Successful Local User Account Interactive Logon 85

Step 1: Winlogon Process Initialization 85

Step 1: LSASS Initialization 87

Step 2: Local System Account Logon 88

Step 3: ALPC Communications between Winlogon and LSASS 92

Step 4: Secure Desktop and SAS 92

Step 5: Authentication Data Gathering 92

Step 6: Send Credentials from Winlogon to LSASS 94

Step 7: LSA Server Credentials Flow 95

Step 8: Local User Scenario 96

Step 9: Local User Logon: MSV1_0 Answer 99

Step 10: User Logon Rights Verification 104

Step 11: Security Token Generation 105

Step 12: SSPI Call 105

Step 13: LSASS Replies to Winlogon 105

Step 14: Userinit and Explorer.exe 105

Unsuccessful Local User Account Interactive Logon 106

Successful Domain User Account Interactive Logon 110

Steps 1–7: User Logon Process 110

Step 8: Authentication Package Negotiation 110

Step 9: LSA Cache 111

Step 10: Credentials Validation on the Domain Controller 112

Steps 11–16: Logon Process 112

Unsuccessful Domain User Account Interactive Logon 112

RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon 112

Successful User Account RemoteInteractive Logon Using Cached Credentials 114

Unsuccessful User Account RemoteInteractive Logon - NLA Enabled 115

Unsuccessful User Account RemoteInteractive Logon - NLA Disabled 117

Network Logon 118

Successful User Account Network Logon 118

Unsuccessful User Account Network Logon 120

Unsuccessful User Account Network Logon - NTLM 121

Unsuccessful User Account Network Logon - Kerberos 122

Batch and Service Logon 123

Successful Service / Batch Logon 123

Unsuccessful Service / Batch Logon 125

NetworkCleartext Logon 127

Successful User Account NetworkCleartext Logon - IIS Basic Authentication 127

Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication 129

NewCredentials Logon 129

Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type 132

Account Logoff and Session Disconnect 133

Terminal Session Disconnect 134

Special Groups 135

Anonymous Logon 136

Default ANONYMOUS LOGON Logon Session 136

Explicit Use of Anonymous Credentials 138

Use of Account That Has No Network Credentials 139

Computer Account Activity from Non–Domain- Joined Machine 139

Allow Local System to Use Computer Identity for NTLM 140

Chapter 5 Local User Accounts 141

Built-in Local User Accounts 142

Administrator 142

Guest 144

Custom User Account 145

HomeGroupUser$ 145

DefaultAccount 146

Built-in Local User Accounts Monitoring Scenarios 146

New Local User Account Creation 146

Successful Local User Account Creation 147

Unsuccessful Local User Account Creation: Access Denied 164

Unsuccessful Local User Account Creation: Other 165

Monitoring Scenarios: Local User Account Creation 166

Local User Account Deletion 168

Successful Local User Account Deletion 169

Unsuccessful Local User Account Deletion - Access Denied 173

Unsuccessful Local User Account Deletion - Other 175

Monitoring Scenarios: Local User Account Deletion 176

Local User Account Password Modification 177

Successful Local User Account Password Reset 178

Unsuccessful Local User Account Password Reset - Access Denied 179

Unsuccessful Local User Account Password Reset - Other 180

Monitoring Scenarios: Password Reset 181

Successful Local User Account Password Change 182

Unsuccessful Local User Account Password Change 183

Monitoring Scenarios: Password Change 184

Local User Account Enabled/Disabled 184

Local User Account Was Enabled 184

Local User Account Was Disabled 186

Monitoring Scenarios: Account Enabled/Disabled 186

Local User Account Lockout Events 187

Local User Account Lockout 188

Local User Account Unlock 190

Monitoring Scenarios: Account Enabled/Disabled 191

Local User Account Change Events 191

Local User Account Change Event 192

Local User Account Name Change Event 196

Monitoring Scenarios: Account Changes 198

Blank Password Existence Validation 199

Chapter 6 Local Security Groups 201

Built-in Local Security Groups 203

Access Control Assistance Operators 205

Administrators 205

Backup Operators 205

Certificate Service DCOM Access 205

Cryptographic Operators 205

Distributed COM Users 206

Event Log Readers 207

Guests 207

Hyper-V Administrators 207

IIS_IUSRS 208

Network Configuration Operators 208

Performance Log Users 209

Performance Monitor Users 209

Power Users 209

Print Operators 209

Remote Desktop Users 209

Remote Management Users 210

Replicator 210

Storage Replica Administrators 210

System Managed Accounts Group 210

Users 210

WinRMRemoteWMIUsers__ 211

Built-in Local Security Groups Monitoring Scenarios 211

Local Security Group Creation 212

Successful Local Security Group Creation 212

Unsuccessful Local Security Group Creation - Access Denied 217

Monitoring Scenarios: Local Security Group Creation 218

Local Security Group Deletion 218

Successful Local Security Group Deletion 219

Unsuccessful Local Security Group Deletion - Access Denied 221

Unsuccessful Local Security Group Deletion - Other 222

Monitoring Scenarios: Local Security Group Deletion 223

Local Security Group Change 223

Successful Local Security Group Change 224

Unsuccessful Local Security Group Change - Access Denied 226

Monitoring Scenarios: Local Security Group Change 227

Local Security Group Membership Operations 227

Successful New Local Group Member Add Operation 228

Successful Local Group Member Remove Operation 231

Unsuccessful Local Group Member Remove/ Add Operation - Access Denied 232

Monitoring Scenarios: Local Security Group Members Changes 233

Local Security Group Membership Enumeration 234

Monitoring Scenarios: Local Security Group Membership Enumeration 235

Chapter 7 Microsoft Active Directory 237

Active Directory Built-in Security Groups 237

Administrators 238

Account Operators 238

Incoming Forest Trust Builders 238

Pre-Windows 2000 Compatible Access 238

Server Operators 239

Terminal Server License Servers 239

Windows Authorization Access 239

Allowed RODC Password Replication Group 240

Denied RODC Password Replication Group 240

Cert Publishers 240

DnsAdmins 240

RAS and IAS Servers 241

Cloneable Domain Controllers 241

DnsUpdateProxy 241

Domain Admins 241

Domain Computers 241

Domain Controllers 242

Domain Users 242

Group Policy Creator Owners 242

Protected Users 242

Read-Only Domain Controllers 242

Enterprise Read-Only Domain Controllers 242

Enterprise Admins 243

Schema Admins 243

Built-in Active Directory Accounts 243

Administrator 243

Chapter 8 Active Directory Objects 285

Active Directory Object SACL 286

Child Object Creation and Deletion Permissions 291

Extended Rights 292

Validated Writes 294

Chapter 9 Authentication Protocols 323

NTLM-family Protocols 323

Challenge-Response Basics 323

LAN Manager 325

LM Hash 325

Chapter 10 Operating System Events 367

System Startup/Shutdown 368

Successful Normal System Shutdown 368

Unsuccessful Normal System Shutdown - Access Denied 370

Chapter 11 Logon Rights and User Privileges 419

Logon Rights 419

Logon Rights Policy Modification 420

Logon Rights Policy Settings - Member Added 421

Logon Rights Policy Settings - Member Removed 421

Unsuccessful Logons Due to Lack of Logon Rights 422

User Privileges 422

User Privileges Policy Modification 427

User Privileges Policy Settings - Member Added 427

User Privileges Policy Settings - Member Removed 428

Special User Privileges Assigned at Logon Time 429

Logon Session User Privileges Operations 430

Privilege Use 431

Successful Call of a Privileged Service 431

Unsuccessful Call of a Privileged Service 432

Successful Operation with a Privileged Object 433

Unsuccessful Operation with a Privileged Object 435

Backup and Restore Privilege Use Auditing 435

Chapter 12 Windows Applications 437

New Application Installation 437

Application Installation Using Windows Installer 440

Application Removal Using Windows Installer 443

Chapter 13 Filesystem and Removable Storage 485

Windows Filesystem 486

NTFS Security Descriptors 487

Inheritance 493

Chapter 14 Windows Registry 523

Windows Registry Basics 523

Registry Key Permissions 526

Registry Operations Auditing 528

Chapter 15 Network File Shares and Named Pipes 559

Network File Shares 559

Network File Share Access Permissions 563

File Share Creation 564

Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options 585

Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes 589

Appendix C SDDL Access Rights 597

Object-Specific Access Rights 598

Index 603 

Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.