Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.
If you’ve been reading my blog, you’ll note that in order to use SCOM for security monitoring, you’ll need to ensure that certain AD auditing policies are configured. I’m using this page as a landing page to the GPO requirements for this security monitoring MP, as some of this is not turned on by default. I’ll also use this to track a link to a gallery download that can be used to grab the latest version of the GPO that I’m using in my lab.
I would strongly recommend some caution in this area as simply importing my own GPO could cause other group policy related issues. For one, I’m using advanced audit policies. As I learned the hard way, advanced audit policies will effectively override traditional audit policies. If an advanced policy is not configured, it is possible that something configured via traditional policies is overwritten. This is a good place to start when it comes to reading up on effective audit polices for Server 2008 R2 and greater.
The other thing to keep in mind is that I have some AppLocker GPOs in place. To be honest, this isn’t going to be terribly helpful for the most part. I’m using hash based detections in AppLocker for certain known tools. A good attacker will likely be recompiling those anyways, making this largely useless. But, not every intruder is that sophisticated, and as such, there is the ability to pick up these tools. In general, anti-virus should be able to catch them, but there has always been ways around AV as well. It’s simply another defense in depth strategy.
This is a summary of what is in my GPO.
- Configures AppLocker for auditing mode and has hash executable rules in place for the following apps.
- Windows Credential Editor
- Mimikatz (official versions on github).
- Under Account Management
- Audit Security Group Management
- Audit User Account Management
- Audit Other account Management events
- Under Detailed Tracking
- Audit Process Creation (for 4688 events)
- DS Access
- Directory Service Access
- Directory Service Change
- Account Lockout
- Account Logon
- Other Logon/Logoff events
- Special Logon
- Object Access
- Audit Handle Manipulation
- Audit Kernel Object
- Audit SAM
- Windows Components/Windows PowerShell
- Turns on module logging for PowerShell and WSMan Management – currently only targeted towards PowerSploit detection.
- Account Logon > Audit Credential Validation - Success
Not all of these items have detections built in as of yet. Some of these are turned on for the purpose of future revisions to this management pack. Suffice to say though that if you do not have these items in place, some of the rules that were written will not function.