Notes about configuring Security log auditing

• At an organizational level, you can configure the Security log audit policies with Group Policy or InTune. For standalone machines, you can configure with the Local Security Policy Editor (gpedit.msc). You can also use PowerShell or Batch scripts with built-in commands such as auditpol to configure either standalone machines or use them as startup scripts to configure endpoints at scale.

• You should always enable Security log auditing at the sub-category level (Computer Configuration > Windows Settings > Security Settings > Advanced security audit policy settings > System Audit Policies in Group Policy) instead of the broad category level as the latter will usually enable too many events and will override any granular settings you made at the sub-category level.

• In this document, we have ommited sub-categories and event IDs that are not actually used or are not needed for monitoring or DFIR investigations. Only the important ones that you should enable are listed here.

• You cannot turn on or off specific event IDs, only sub-categories at the most granular level. This is unfortunate as sometimes there will be a couple of noisy event IDs that you can not disable unless you disable the entire sub-category.

Security Event Log Categories and Event IDs

Account Logon

Credential Validation

Volume: Depends on NTLM usage. Could be high on DCs and low on clients and servers.

Default settings: Client OS: No Auditing | Server OS: Success

Recommended settings: Client and Server OSes: Success and Failure

Notable BluSapphire rules:

• Metasploit SMB Authentication: Detect when someone is running Metasploit on your network.

• Valid Users Failing to Authenticate from Single Source Using NTLM: Password guessing.

• Invalid Users Failing To Authenticate From Single Source Using NTLM: Username guessing.

• Failed Logins with Different Accounts from Single Source System: Password spraying.

Kerberos Authentication Service

Note: These events are only generated on domain controllers

Volume: High

Default settings: Client OS: No Auditing | Server OS: Success

Recommended settings: Client OS: No Auditing | Server OS: Success and Failure

Notable BluSapphire rules:

• (4768) (High) PetitPotam Suspicious Kerberos TGT Request

• (4768) (Med) Disabled Users Failing To Authenticate From Source Using Kerberos

• (4768) (Med) Invalid Users Failing To Authenticate From Source Using Kerberos: Username guessing.

• (4771) (Med) Valid Users Failing to Authenticate From Single Source Using Kerberos: Password guessing.

Kerberos Service Ticket Operations

Note: These events are only generated on domain controllers

Volume: High

Default settings: Client OS: No Auditing | Server OS: Success

Recommended settings: Domain Controllers: Success and Failure

Notable BluSapphire rules:

• (4769) (Med) Suspicious Kerberos RC4 Ticket Encryption: Detects service ticket requests using RC4 encryption. This could be for Kerberoasting (password cracking) or just older systems using legacy encryption.

Account Management

Computer Account Management

Note: These events are only generated on domain controllers

Volume: Low

Default settings: Client OS: No Auditing | Server OS: Success Only

Recommended settings: Domain Controllers: Success and Failure

Notable BluSapphire rules:

• (4742) (Med) Possible DC Shadow: Detects DCShadow via create new SPN.

Other Account Management Events

Volume: Low

Default settings: No Auditing

Recommended settings: Success and Failure

Security Group Management

A "security-enabled" group is a group that you can assign access permissions (ACLs). The other type is a Distribution Group, which is "security-disabled" and cannot be assigned access permissions. Since security-enabled groups are most common, we will refer to them simply as "groups". For example, Local Group Created, instead of A security-enabled local group was created..

A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.

A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.

Volume: Low

Default settings: Success

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4732) (Med) User Added to Local Administrators

• (4799) (High) Operation Wocao Activity: Detects China-based cyber espionage.

User Account Management

Volume: Low

Default settings: Success

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4720) (High) Hidden Local User Creation: Detects hidden user accounts most likely used as a backdoor account.

• (4720) (High) Suspicious Windows ANONYMOUS LOGON Local Account Created

• (4720) (Low) Local User Creation

• (4738) (High) Active Directory User Backdoors

• (4738) (High) Weak Encryption Enabled and Kerberoast

• (4765, 4766, 4738) (Med) Addition of SID History to Active Directory Object: An attacker can use the SID history attribute to gain additional privileges.

• (5145, 4738) (Med) Possible Remote Password Change Through SAMR: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().

• (4781) (High) Suspicious Computer Account Name Change CVE-2021-42287: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

• (4794) (High) Password Change on Directory Service Restore Mode (DSRM) Account: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Detailed Tracking

Plug and Play Events

This is important if you want to track physical attacks (Rubber Ducky, etc..) or someone exfiltrating data via USB devices.

Volume: Typcially low

Default settings: No Auditing

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (6416) External Disk Drive Or USB Storage Device

Process Creation

Note: A separate setting needs to be enabled to log command line information which is extremely important. Computer Configuration > Windows Settings > Administrative Templates > System > Audit Process Creation > Include command line in process creation events in Group Policy.

If you do not have Sysmon installed and configured to monitor Process Creation, then you should enable this as about half of BluSapphire's detection rules rely on process creation with command line options enabled.

Volume: High

Default settings: No Auditing

Recommended settings: Success and Failure if sysmon is not configured.

Process Termination

You may want to keep this disabled to save file space.

Volume: High

Default settings: No Auditing

Recommended settings: No Auditing unless you want to track the lifespan of processes.

RPC (Remote Procedure Call) Events

Volume: High on RPC servers (According to Microsoft)

Default settings: No Auditing

Recommended settings: Unknown. Needs testing.

Token Right Adjusted Events

Volume: Unknown

Default settings: No Auditing

Recommended settings: Unknown. Needs testing.

DS (Directory Service) Access

Note: Enable only for Domain Controllers

Directory Service Access

Volume: High

Default settings: Client OS: No Auditing | Server OS: Success

Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure

Notable BluSapphire rules:

• (4662) (Crit) AD Object WriteDAC Access

• (4662) (Crit) Active Directory Replication from Non Machine Account

• (4662) (Med) AD User Enumeration: Detects access to a domain user from a non-machine account. (Requires the "Read all properties" permission on the user object to be audited for the "Everyone" principal.)

• (4662) (High) DPAPI Domain Backup Key Extraction: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers.

• (4662) (Med) WMI Persistence: Detects malware that autostarts via WMI.

Directory Service Changes

Volume: High

Default settings: No Auditing

Recommended settings: Client OS: No Auditing | ADDS Server: Success and Failure

Notable BluSapphire rules:

• (5136) (High) Powerview Add-DomainObjectAcl DCSync AD Extend Right: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account.

• (5136) (High) Active Directory User Backdoors: Detects scenarios where one can control another users or computers account without having to use their credentials.

• (5136) (Med) Possible DC Shadow

• (5136) (High) Suspicious LDAP-Attributes Used: Detects LDAPFragger, a C2 tool that lets attackers route Cobalt Strike beacon data over LDAP attributes.

Logon/Logoff

Account Lockout

Volume: Low

Default settings: Success

Recommended settings: Success and Failure

Currently there is no BluSapphire rule for account lockout.

Group Membership

Records what group a user belongs to when they log in. ACSC recommends Success and Failure but this is probably not needed if you can easily lookup what groups a user belongs to.

Volume: Adds an extra 4627 event to every logon.

Default settings: No Auditing

Recommended settings: No Auditing

Logoff

Note: Unfortunately, Windows will sometimes not record any logoff event when logging off.

Volume: High

Default settings: Success

Recommended settings: Success

Logon

Volume: Low on clients, medium on DCs or network servers

Default settings: Client OS: Success | Server OS: Success and Failure

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4624) (Low) Admin User Remote Logon

• (4624) (High) Successful Overpass the Hash Attempt

• (4624) (Med) Pass the Hash Activity

• (4624) (Med) RDP Login from Localhost

• (4624) (Low) Login with WMI

• (4624) (High) KrbRelayUp Attack Pattern

• (4624) (High) RottenPotato Like Attack Pattern

• (4625) (Med) Failed Logon From Public IP

• (4648) (Med) Suspicious Remote Logon with Explicit Credentials

• (4624) (High) Scanner PoC for CVE-2019-0708 RDP RCE Vuln: Detects scans for the BlueKeep vulnerability.

• (4625) (Med) Failed Logon From Public IP

• (4625) (Med) Multiple Users Failing to Authenticate from Single Process

• (4625) (Med) Multiple Users Remotely Failing To Authenticate From Single Source

Other Logon/Logoff Events

Volume: Low

Default settings: No Auditing

Recommended settings: Success and Failure

Special Logon

"Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.

Volume: Low on clients. Medium on DC or network servers.

Default settings: Success

Recommended settings: Success and Failure

Object Access

Certification Services

Note: Enable only for servers providing AD CS role services.

Volume: Low to medium

Default settings: No Auditing

Recommended settings: Success and Failure for AD CS role servers.

Notable BluSapphire rules:

• (4898, 4899) (High) ADCS Certificate Template Configuration Vulnerability with Risky EKU

• (4898, 4899) (High) ADCS Certificate Template Configuration Vulnerability

Note: Many event IDs are enabled. Only the ones with BluSapphire rules are shown above.

Detailed File Share

Volume: Very high for file servers and DCs, however, may be necessary if you want to track who is accessing what files as well as detect various lateral movement.

Warning: There are no SACLs (System Access Control Lists) for shared folders so everything is logged.

Default settings: No Auditing

Recommended settings: No Auditing due to the high noise level. Enable if you can though.

Notable BluSapphire rules:

• (5145) (Med) Remote Task Creation via ATSVC Named Pipe

• (5145) (High) Persistence and Execution at Scale via GPO Scheduled Task

• (5145) (High) Impacket PsExec Execution

• (5145) (High) Possible Impacket SecretDump Remote Activity

• (5145) (High) First Time Seen Remote Named Pipe

• (5145) (High) Possible PetitPotam Coerce Authentication Attempt

• (5145) (Med) Suspicious Access to Sensitive File Extensions

• (5145) (Med) Transferring Files with Credential Data via Network Shares

File Share

Volume: High for file servers and DCs.

Default settings: No Auditing

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (5140) (Low) Access to ADMIN$ Share

File System

You need to separately configure audit permissions on files and/or folders in order for access to be logged. For example, by right-clicking, opening Properties, Security tab, Advanced, Auditing tab and then adding a Principal and what permissions to monitor. It is recommended only to monitor access to sensitive files as there will be too much noise if too many files are enabled for logging.

Volume: Depends on SACL rules

Default settings: No Auditing

Recommended settings: Enable SACLs just for sensitive files

Notable BluSapphire rules:

• (4663) (Med) ISO Image Mount

• (4663) (High) Suspicious Teams Application Related ObjectAcess Event: Detects access to MS Teams authentication tokens.

Note: EID 4656, 4658, 4660, 4663, 4670 are also used for access to registry and kernel objects as well as removable storage access but need to be configured separately.

Filtering Platform Connection

Logs when WFP (Windows Filtering Platform) allows or blocks port bindings and network connections.

Volume: High

Default settings: No Auditing

Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.

Notable BluSapphire rules:

• (5156) (Med) Enumeration via the Global Catalog): To detect Bloodhound and similar tools.

• (5156) (High) RDP over Reverse SSH Tunnel WFP

• (5156) (High) Remote PowerShell Sessions Network Connections (WinRM)

• (5156) (High) Suspicious Outbound Kerberos Connection: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Filtering Platform Packet Drop

Volume: High

Default settings: No Auditing

Recommended settings: Success and Failure if you have enough space and are not monitoring network connections with sysmon. This should cause a high amount of events though.

Kernel Object

This feature is mainly for kernel developers. This audits attempts to access the kernel objects, such as mutexes, symbolic links, named pipes, etc... Only kernel objects with SACLs generate security audit events. By default, kernel objects will not have SACLS defined so they will not be audited. You can enable auditing of all kernel objects by enabling Audit the access of global system objects (GPO: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit the access of global system objects) which will define SACLS for all kernel objects, however, it is not recommended as you will probably generate too many unneeded events. On Windows 11, access to the lsass process seems to be enabled by default, which is good to monitor.

Volume: High if auditing access of global object access is enabled

Default settings: No Auditing

Recommended settings: Success and Failure but do not enable Audit the access of global system objects as you will generate too many 4663: Object Access events.

Notable BluSapphire rules:

• (4656) (High) Generic Password Dumper Activity on LSASS

• (4663) (Med) Suspicious Multiple File Rename Or Delete Occurred: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may indicate ransomware activity).

Note: EID 4656, 4658, 4660, 4663 are also used for access to registry and file system objects as well as removable storage access but need to be configured separately.

Handle Manipulation

This subcategory needs to be enabled to enable events like 4656, 4658 and 4661 in other subcategories. It also enables an additional event 4690, however, this event not useful for investigations. It is recommended to enable this subcategory in order to enable more useful events in other subcategories.

Default settings: No Auditing

Recommended settings: Success and Failure

Other Object Access Events

It is important to enable as malware will often abuse tasks for persistence and lateral movement.

Volume: Low

Default settings: No Auditing

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4698) (Low) Rare Schtasks Creations: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code.

• (4699) (Low) Scheduled Task Deletion

Registry

Many attacks and malware use the registry so it is a great place for evidence, however, it is difficult to only log only what is needed for detection and if you enable all registry access globally, there will be extreme volume of events and possible performance degradation.

Volume: Depends on SACLs

Default settings: No Auditing

Recommended settings: Set SACLs for only the registry keys that you want to monitor

Notable BluSapphire rules:

• (4656) (High) SAM Registry Hive Handle Request: Attackers will try to access the SAM registry hive to obtain password hashes.

• (4656) (Med) SCM Database Handle Failure: Detects non-system users failing to get a handle of the SCM database.

• (4657) (High) COMPlus_ETWEnabled Registry Modification: Potential adversaries stopping ETW providers recording loaded .NET assemblies.

• (4657) (High) NetNTLM Downgrade Attack

• (4657) (High) Sysmon Channel Reference Deletion: Potential threat actor tampering with Sysmon manifest and eventually disabling it.

• (4657) (High) Creation of a Local Hidden User Account by Registry

• (4657) (High) UAC Bypass via Sdclt

• (4657) (High) Disable Security Events Logging Adding Reg Key MiniNt

• (4657) (Crit) PrinterNightmare Mimimkatz Driver Name

• (4657) (Crit) Security Support Provider (SSP) Added to LSA Configuration: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

• (4657) (High) Suspicious Run Key from Download

• (4657) (High) Suspicious Camera and Microphone Access

• (4657) (Low) Usage of Sysinternals Tools

• (4657) (Med) Common Autorun Keys Modification

• (4657) (High) Disable Sysmon Event Logging Via Registry

Note: EID 4656, 4658, 4660, 4663, 4670 are also used for access to kernel and file system objects as well as removable storage access but need to be configured separately.

Removable Storage

This logs all file access to removable storage regardless of SACL settings. You may want to enable to track employees exfiltrating data via USB storage.

Volume: Depends on how much removable storage is used

Default settings: No Auditing

Recommended settings: Success and Failure if you want to monitor external device usage.

Note: EID 4656, 4658, 4663 are also used for access to registry, kernel and file system objects but need to be configured separately.

SAM

This will log attempts to access Security Account Manager (SAM) objects, such as user and computer accounts, groups, security descriptors, etc...

Volume: High volume of events on Domain Controllers

Default settings: No Auditing

Recommended settings: Success and Failure if you can but may cause too high volume of noise so should be tested beforehand.

Notable BluSapphire rules:

• (4661) (High) Reconnaissance Activity: Detects activity such as "net user administrator /domain" and "net group domain admins /domain".

• (4661) (High) AD Privileged Users or Groups Reconnaissance: Detect privileged users or groups recon based on 4661 eventid and known privileged users or groups SIDs.

Policy Change

Audit Policy Change

Changes to audit policy that are audited include:

• Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).

• Changing the system audit policy.

• Registering and unregistering security event sources.

• Changing per-user audit settings.

• Changing the value of CrashOnAuditFail.

• Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).

• Changing anything in the Special Groups list.

Volume: Low

Default settings: Success

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4719) (High) Disabling Windows Event Auditing: Detects anti-forensics via local GPO policy.

Authentication Policy Change

Changes made to authentication policy include:

• Creation, modification, and removal of forest and domain trusts.

• Changes to Kerberos policy under Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy.

• When any of the following user logon rights is granted to a user or group:

  • Access this computer from the network

  • Allow logon locally

  • Allow logon through Remote Desktop

  • Logon as a batch job

  • Logon as a service

• Namespace collision, such as when an added trust collides with an existing namespace name.

This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.

Volume: Low

Default settings: Success

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4706) (Med) Addition of Domain Trusts: Addition of domains is seldom and should be verified for legitimacy.

Authorization Policy Change

Audits assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.

You can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects. However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, it is not recommended to enable due to the high volume of events.

Volume: Medium to High

Default settings: No Auditing

Recommended settings: Unknown. Needs testing.

Filtering Platform Policy Change

Audit events generated by changes to the Windows Filtering Platform (WFP), such as the following:

• IPsec services status.

• Changes to IPsec policy settings.

• Changes to Windows Filtering Platform Base Filtering Engine policy settings.

• Changes to WFP providers and engine.

Volume: Low

Default settings: No Auditing

Recommended settings: Unknown, Needs testing.

There are too many events that are enabled with this sub-category to list up and no BluSapphire detection rules that use these event IDs at the moment.

MPSSVC Rule-Level Policy Change

Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include:

• Active policies when the Windows Firewall service starts.

• Changes to Windows Firewall rules.

• Changes to the Windows Firewall exception list.

• Changes to Windows Firewall settings.

• Rules ignored or not applied by the Windows Firewall service.

• Changes to Windows Firewall Group Policy settings.

Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.

Volume: Low

Default settings: No Auditing

Recommended settings: Unknown. Needs testing.

Other Policy Change Events

Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.

Volume: Low

Default settings: No Auditing

Recommended settings: No Auditing (Note: ACSC recommends Success and Failure, however, this results in a lot of noise of 5447 (A Windows Filtering Platform filter has been changed) events being generated.)

There are too many events that are enabled with this sub-category to list up and no BluSapphire detection rules that use these event IDs at the moment.

Privilege Use

Non Sensitive Use Events

Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges:

• Access Credential Manager as a trusted caller

• Add workstations to domain

• Adjust memory quotas for a process

• Bypass traverse checking

• Change the system time

• Change the time zone

• Create a page file

• Create global objects

• Create permanent shared objects

• Create symbolic links

• Force shutdown from a remote system

• Increase a process working set

• Increase scheduling priority

• Lock pages in memory

• Modify an object label

• Perform volume maintenance tasks

• Profile single process

• Profile system performance

• Remove computer from docking station

• Shut down the system

• Synchronize directory service data

Volume: Very high

Default settings: No Auditing

Recommended settings: No Auditing

Note: Non-sensitive and sensitive privilege use events use the same event ID.

Sensitive Privilege Use

Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges:

• Act as part of the operating system

• Back up files and directories

• Restore files and directories

• Create a token object

• Debug programs

• Enable computer and user accounts to be trusted for delegation

• Generate security audits

• Impersonate a client after authentication

• Load and unload device drivers

• Manage auditing and security log

• Modify firmware environment values

• Replace a process-level token

• Take ownership of files or other objects

The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Audit the access of global system objects Group Policy setting is enabled. However, it is not recommended to enable this Group Policy setting because of the high number of events recorded.

Volume: High

Default settings: No Auditing

Recommended settings: Success and Failure However, this may be too noisy.

Notable BluSapphire rules:

• (4673) (High) User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess': The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

• (4673) (Med) Suspicious Driver Loaded By User: Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

• (4674) (Med) SCM Database Privileged Operation: Detects non-system users performing privileged operation os the SCM database.

Note: Non-sensitive and sensitive privilege use events use the same event ID.

System

Other System Events

Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures:

• Startup and shutdown of the Windows Firewall service and driver.

• Security policy processing by the Windows Firewall service.

• Cryptography key file and migration operations.

• BranchCache events.

Volume: Low

Default settings: Success and Failure

Recommended settings: Unknown. Needs testing.

There are too many events that are enabled with this sub-category to list up and no BluSapphire detection rules that use these event IDs at the moment.

Security State Change

Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.

Volume: Low

Default settings: Success

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4616) (Low) Unauthorized System Time Modification: Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Security System Extension

This policy setting allows you to audit events related to security system extensions or services such as the following:

• A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM.

• A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.

Volume: Low, but more on DCs

Default settings: No Auditing

Recommended settings: Success and Failure

Notable BluSapphire rules:

• (4611) (High) Register new Logon Process by Rubeus: Detects potential use of Rubeus via registered new trusted logon process.

• (4697) (High) Invoke-Obfuscation Obfuscated IEX Invocation

• (4697) (High) Invoke-Obfuscation Via Use Rundll32

• (4697) (High) Invoke-Obfuscation Via Use MSHTA

• (4697) (High) CobaltStrike Service Installations

• (4697) (High) Credential Dumping Tools Service Execution

• (4697) (Crit) Malicious Service Installations

• (4697) (Crit) Meterpreter or Cobalt Strike Getsystem Service Installation

System Integrity

Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem:

• Audited events are lost due to a failure of the auditing system.

• A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.

• A remote procedure call (RPC) integrity violation is detected.

• A code integrity violation with an invalid hash value of an executable file is detected.

• Cryptographic tasks are performed.

According to Microsoft, violations of security subsystem integrity are critical and could indicate a potential security attack.

Volume: Low

Default settings: Sucess, Failure

Recommended settings: Success and Failure

Currently, there are no BluSapphire rules for this sub-category.

Global Object Access Auditing

You can configure all File system and Registry access to be recorded here but it is not recommended for production due to the very high amount of logs you will generate. It is recommended to turn on when simulating attacks to find out what registry and files are changed in order to write detection rules.

Default Logs

Event IDs that are enabled by default that should be monitored will be listed below.