Dig deep into the Windows auditing subsystem to monitor for malicious activities and enhance Windows system security
Written by a former Microsoft security program manager, DEFCON "Forensics CTF" village author and organizer, and CISSP, this book digs deep into the Windows security auditing subsystem to help you understand the operating system's event logging patterns for operations and changes performed within the system. Expert guidance brings you up to speed on Windows auditing, logging, and event systems to help you exploit the full capabilities of these powerful components. Scenario-based instruction provides clear illustration of how these events unfold in the real world. From security monitoring and event patterns to deep technical details about the Windows auditing subsystem and components, this book provides detailed information on security events generated by the operating system for many common operations such as user account authentication, Active Directory object modifications, local security policy changes, and other activities.
This book is based on the author's experience and the results of his research into Microsoft Windows security monitoring and anomaly detection. It presents the most common scenarios people should be aware of to check for any potentially suspicious activity.
Learn to:
* Implement the Security Logging and Monitoring policy
* Dig into the Windows security auditing subsystem
* Understand the most common monitoring event patterns related to operations and changes in the Microsoft Windows operating system
About the Author
Andrei Miroshnikov is a former security program manager with Microsoft. He is an organizer and author for the DEFCON security conference "Forensics CTF" village and has been a speaker at Microsoft's Bluehat security conference. In addition, Andrei is an author of the "Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference" and multiple internal Microsoft security training documents. Among his many professional qualifications, he has earned the (ISC)² CISSP and Microsoft MCSE: Security certifications.
Auflage
Sprache
Verlagsort
Dateigröße
ISBN-13
978-1-119-39089-3 (9781119390893)
Schweitzer Klassifikation
1 - Cover [Seite 1]
2 - Title Page [Seite 5]
3 - Copyright [Seite 6]
4 - About the Author [Seite 9]
5 - About the Technical Editor [Seite 9]
6 - Credits [Seite 11]
7 - Acknowledgments [Seite 13]
8 - Contents [Seite 17]
9 - Introduction [Seite 31]
9.1 - Who This Book Is For [Seite 32]
9.2 - What This Book Covers [Seite 32]
9.3 - How This Book Is Structured [Seite 33]
9.4 - What You Need to Use This Book [Seite 34]
9.5 - Conventions [Seite 35]
9.6 - What's on the Website [Seite 35]
10 - Part I: Introduction to Windows Security Monitoring [Seite 37]
10.1 - Chapter 1: Windows Security Logging and Monitoring Policy [Seite 39]
10.1.1 - Security Logging [Seite 39]
10.1.1.1 - Security Logs [Seite 40]
10.1.1.1.1 - System Requirements [Seite 41]
10.1.1.1.2 - PII and PHI [Seite 41]
10.1.1.1.3 - Availability and Protection [Seite 41]
10.1.1.1.4 - Configuration Changes [Seite 42]
10.1.1.1.5 - Secure Storage [Seite 42]
10.1.1.1.6 - Centralized Collection [Seite 42]
10.1.1.1.7 - Backup and Retention [Seite 43]
10.1.1.1.8 - Periodic Review [Seite 43]
10.1.2 - Security Monitoring [Seite 43]
10.1.2.1 - Communications [Seite 44]
10.1.2.2 - Audit Tool and Technologies [Seite 44]
10.1.2.3 - Network Intrusion Detection Systems [Seite 44]
10.1.2.4 - Host-based Intrusion Detection Systems [Seite 44]
10.1.2.5 - System Reviews [Seite 45]
10.1.2.6 - Reporting [Seite 45]
11 - Part II: Windows Auditing Subsystem [Seite 47]
11.1 - Chapter 2: Auditing Subsystem Architecture [Seite 49]
11.1.1 - Legacy Auditing Settings [Seite 49]
11.1.2 - Advanced Auditing Settings [Seite 52]
11.1.2.1 - Set Advanced Audit Settings via Local Group Policy [Seite 54]
11.1.2.2 - Set Advanced Audit Settings via Domain Group Policy [Seite 55]
11.1.2.3 - Set Advanced Audit Settings in the Local Security Authority (LSA) Policy Database [Seite 55]
11.1.2.4 - Read Current LSA Policy Database Advanced Audit Policy Settings [Seite 56]
11.1.2.5 - Advanced Audit Policies Enforcement and Legacy Policies Rollback [Seite 56]
11.1.2.5.1 - Switch from Advanced Audit Settings to Legacy Settings [Seite 57]
11.1.2.5.2 - Switch from Legacy Audit Settings to Advanced Settings [Seite 58]
11.1.3 - Windows Auditing Group Policy Settings [Seite 58]
11.1.3.1 - Manage Auditing and Security Log [Seite 58]
11.1.3.2 - Generate Security Audits [Seite 59]
11.1.3.3 - Security Auditing Policy Security Descriptor [Seite 59]
11.1.3.4 - Group Policy: "Audit: Shut Down System Immediately If Unable to Log Security Audits" [Seite 60]
11.1.3.5 - Group Policy: Protected Event Logging [Seite 61]
11.1.3.6 - Group Policy: "Audit: Audit the Use of Backup and Restore Privilege" [Seite 61]
11.1.3.7 - Group Policy: "Audit: Audit the Access of Global System Objects" [Seite 62]
11.1.3.8 - Audit the Access of Global System Container Objects [Seite 62]
11.1.3.9 - Windows Event Log Service: Security Event Log Settings [Seite 63]
11.1.3.9.1 - Changing the Maximum Security Event Log File Size [Seite 64]
11.1.3.9.2 - Group Policy: Control Event Log Behavior When the Log File Reaches Its Maximum Size [Seite 65]
11.1.3.9.3 - Group Policy: Back Up Log Automatically When Full [Seite 65]
11.1.3.9.4 - Group Policy: Control the Location of the Log File [Seite 66]
11.1.3.9.5 - Security Event Log Security Descriptor [Seite 67]
11.1.3.9.6 - Guest and Anonymous Access to the Security Event Log [Seite 69]
11.1.4 - Windows Auditing Architecture [Seite 69]
11.1.4.1 - Windows Auditing Policy Flow [Seite 70]
11.1.4.1.1 - LsaSetInformationPolicy and LsaQueryInformationPolicy Functions Route [Seite 71]
11.1.4.2 - Windows Auditing Event Flow [Seite 72]
11.1.4.2.1 - LSASS.EXE Security Event Flow [Seite 73]
11.1.4.2.2 - NTOSKRNL.EXE Security Event Flow [Seite 73]
11.1.5 - Security Event Structure [Seite 74]
11.2 - Chapter 3: Auditing Subcategories and Recommendations [Seite 83]
11.2.1 - Account Logon [Seite 83]
11.2.1.1 - Audit Credential Validation [Seite 83]
11.2.1.2 - Audit Kerberos Authentication Service [Seite 86]
11.2.1.3 - Audit Kerberos Service Ticket Operations [Seite 89]
11.2.1.4 - Audit Other Account Logon Events [Seite 90]
11.2.2 - Account Management [Seite 90]
11.2.2.1 - Audit Application Group Management [Seite 90]
11.2.2.2 - Audit Computer Account Management [Seite 90]
11.2.2.3 - Audit Distribution Group Management [Seite 91]
11.2.2.4 - Audit Other Account Management Events [Seite 92]
11.2.2.5 - Audit Security Group Management [Seite 93]
11.2.2.6 - Audit User Account Management [Seite 93]
11.2.3 - Detailed Tracking [Seite 94]
11.2.3.1 - Audit DPAPI Activity [Seite 94]
11.2.3.2 - Audit PNP Activity [Seite 94]
11.2.3.3 - Audit Process Creation [Seite 94]
11.2.3.4 - Audit Process Termination [Seite 95]
11.2.3.5 - Audit RPC Events [Seite 95]
11.2.4 - DS Access [Seite 96]
11.2.4.1 - Audit Detailed Directory Service Replication [Seite 96]
11.2.4.2 - Audit Directory Service Access [Seite 96]
11.2.4.3 - Audit Directory Service Changes [Seite 97]
11.2.4.4 - Audit Directory Service Replication [Seite 97]
11.2.5 - Logon and Logoff [Seite 97]
11.2.5.1 - Audit Account Lockout [Seite 97]
11.2.5.2 - Audit User/Device Claims [Seite 98]
11.2.5.3 - Audit Group Membership [Seite 98]
11.2.5.4 - Audit IPsec Extended Mode/Audit IPsec Main Mode/Audit IPsec Quick Mode [Seite 99]
11.2.5.5 - Audit Logoff [Seite 99]
11.2.5.6 - Audit Logon [Seite 100]
11.2.5.7 - Audit Network Policy Server [Seite 101]
11.2.5.8 - Audit Other Logon/Logoff Events [Seite 101]
11.2.5.9 - Audit Special Logon [Seite 102]
11.2.6 - Object Access [Seite 102]
11.2.6.1 - Audit Application Generated [Seite 103]
11.2.6.2 - Audit Certification Services [Seite 103]
11.2.6.3 - Audit Detailed File Share [Seite 103]
11.2.6.4 - Audit File Share [Seite 103]
11.2.6.5 - Audit File System [Seite 104]
11.2.6.6 - Audit Filtering Platform Connection [Seite 104]
11.2.6.7 - Audit Filtering Platform Packet Drop [Seite 105]
11.2.6.8 - Audit Handle Manipulation [Seite 105]
11.2.6.9 - Audit Kernel Object [Seite 106]
11.2.6.10 - Audit Other Object Access Events [Seite 107]
11.2.6.11 - Audit Registry [Seite 107]
11.2.6.12 - Audit Removable Storage [Seite 108]
11.2.6.13 - Audit SAM [Seite 108]
11.2.6.14 - Audit Central Policy Staging [Seite 109]
11.2.7 - Policy Change [Seite 109]
11.2.7.1 - Audit Policy Change [Seite 109]
11.2.7.2 - Audit Authentication Policy Change [Seite 110]
11.2.7.3 - Audit Authorization Policy Change [Seite 110]
11.2.7.4 - Audit Filtering Platform Policy Change [Seite 111]
11.2.7.5 - Audit MPSSVC Rule-Level Policy Change [Seite 111]
11.2.7.6 - Audit Other Policy Change Events [Seite 111]
11.2.8 - Privilege Use [Seite 112]
11.2.8.1 - Audit Non Sensitive Privilege Use [Seite 112]
11.2.8.2 - Audit Other Privilege Use Events [Seite 113]
11.2.8.3 - Audit Sensitive Privilege Use [Seite 113]
11.2.9 - System [Seite 113]
11.2.9.1 - Audit IPsec Driver [Seite 114]
11.2.9.2 - Audit Other System Events [Seite 114]
11.2.9.3 - Audit Security State Change [Seite 114]
11.2.9.4 - Audit Security System Extension [Seite 115]
11.2.9.5 - Audit System Integrity [Seite 115]
12 - Part III: Security Monitoring Scenarios [Seite 117]
12.1 - Chapter 4: Account Logon [Seite 119]
12.1.1 - Interactive Logon [Seite 121]
12.1.1.1 - Successful Local User Account Interactive Logon [Seite 121]
12.1.1.1.1 - Step 1: Winlogon Process Initialization [Seite 121]
12.1.1.1.2 - Step 1: LSASS Initialization [Seite 123]
12.1.1.1.3 - Step 2: Local System Account Logon [Seite 124]
12.1.1.1.4 - Step 3: ALPC Tunnel between Winlogon and LSASS [Seite 128]
12.1.1.1.5 - Step 4: Secure Desktop and SAS [Seite 128]
12.1.1.1.6 - Step 5: Authentication Data Gathering [Seite 128]
12.1.1.1.7 - Step 6: Send Credentials from Winlogon to LSASS [Seite 130]
12.1.1.1.8 - Step 7: LSA Server Credentials Flow [Seite 131]
12.1.1.1.9 - Step 8: Local User Scenario [Seite 132]
12.1.1.1.10 - Step 9: Local User Logon: MSV1_0 Answer [Seite 135]
12.1.1.1.11 - Step 10: User Logon Rights Verification [Seite 140]
12.1.1.1.12 - Step 11: Security Token Generation [Seite 141]
12.1.1.1.13 - Step 12: SSPI Call [Seite 141]
12.1.1.1.14 - Step 13: LSASS Replies to Winlogon [Seite 141]
12.1.1.1.15 - Step 14: Userinit and Explorer.exe [Seite 141]
12.1.1.2 - Unsuccessful Local User Account Interactive Logon [Seite 142]
12.1.1.2.1 - Successful Domain User Account Interactive Logon [Seite 146]
12.1.1.2.2 - Steps 1-7: User Logon Process [Seite 146]
12.1.1.2.3 - Step 8: Authentication Package Negotiation [Seite 146]
12.1.1.2.4 - Step 9: LSA Cache [Seite 147]
12.1.1.2.5 - Step 10: Credentials Validation on the Domain Controller [Seite 148]
12.1.1.2.6 - Steps 11-16: Logon Process [Seite 148]
12.1.1.3 - Unsuccessful Domain User Account Interactive Logon [Seite 148]
12.1.2 - RemoteInteractive Logon [Seite 148]
12.1.2.1 - Successful User Account RemoteInteractive Logon [Seite 148]
12.1.2.2 - Successful User Account RemoteInteractive Logon Using Cached Credentials [Seite 150]
12.1.2.3 - Unsuccessful User Account RemoteInteractive Logon - NLA Enabled [Seite 151]
12.1.2.4 - Unsuccessful User Account RemoteInteractive Logon - NLA Disabled [Seite 153]
12.1.3 - Network Logon [Seite 154]
12.1.3.1 - Successful User Account Network Logon [Seite 154]
12.1.3.2 - Unsuccessful User Account Network Logon [Seite 156]
12.1.3.2.1 - Unsuccessful User Account Network Logon - NTLM [Seite 157]
12.1.3.2.2 - Unsuccessful User Account Network Logon - Kerberos [Seite 158]
12.1.4 - Batch and Service Logon [Seite 159]
12.1.4.1 - Successful Service / Batch Logon [Seite 159]
12.1.4.2 - Unsuccessful Service / Batch Logon [Seite 161]
12.1.5 - NetworkCleartext Logon [Seite 163]
12.1.5.1 - Successful User Account NetworkCleartext Logon - IIS Basic Authentication [Seite 163]
12.1.5.2 - Unsuccessful User Account NetworkCleartext Logon - IIS Basic Authentication [Seite 165]
12.1.6 - NewCredentials Logon [Seite 165]
12.1.6.1 - Interactive and RemoteInteractive Session Lock Operations and Unlock Logon Type [Seite 168]
12.1.7 - Account Logoff and Session Disconnect [Seite 169]
12.1.7.1 - Terminal Session Disconnect [Seite 170]
12.1.8 - Special Groups [Seite 171]
12.1.9 - Anonymous Logon [Seite 172]
12.1.9.1 - Default ANONYMOUS LOGON Logon Session [Seite 172]
12.1.9.2 - Explicit Use of Anonymous Credentials [Seite 174]
12.1.9.3 - Use of Account That Has No Network Credentials [Seite 175]
12.1.9.4 - Computer Account Activity from Non-Domain-Joined Machine [Seite 175]
12.1.9.5 - Allow Local System to Use Computer Identity for NTLM [Seite 176]
12.2 - Chapter 5: Local User Accounts [Seite 177]
12.2.1 - Built-in Local User Accounts [Seite 178]
12.2.1.1 - Administrator [Seite 178]
12.2.1.2 - Guest [Seite 180]
12.2.1.3 - Custom User Account [Seite 181]
12.2.1.4 - HomeGroupUser$ [Seite 181]
12.2.1.5 - DefaultAccount [Seite 182]
12.2.2 - Built-in Local User Accounts Monitoring Scenarios [Seite 182]
12.2.2.1 - New Local User Account Creation [Seite 182]
12.2.2.1.1 - Successful Local User Account Creation [Seite 183]
12.2.2.1.2 - Unsuccessful Local User Account Creation: Access Denied [Seite 200]
12.2.2.1.3 - Unsuccessful Local User Account Creation: Other [Seite 201]
12.2.2.1.4 - Monitoring Scenarios: Local User Account Creation [Seite 202]
12.2.2.2 - Local User Account Deletion [Seite 204]
12.2.2.2.1 - Successful Local User Account Deletion [Seite 205]
12.2.2.2.2 - Unsuccessful Local User Account Deletion - Access Denied [Seite 209]
12.2.2.2.3 - Unsuccessful Local User Account Deletion - Other [Seite 211]
12.2.2.2.4 - Monitoring Scenarios: Local User Account Deletion [Seite 212]
12.2.3 - Local User Account Password Modification [Seite 213]
12.2.3.1 - Successful Local User Account Password Reset [Seite 214]
12.2.3.2 - Unsuccessful Local User Account Password Reset - Access Denied [Seite 215]
12.2.3.3 - Unsuccessful Local User Account Password Reset - Other [Seite 216]
12.2.3.4 - Monitoring Scenarios: Password Reset [Seite 217]
12.2.3.5 - Successful Local User Account Password Change [Seite 218]
12.2.3.6 - Unsuccessful Local User Account Password Change [Seite 219]
12.2.3.7 - Monitoring Scenarios: Password Change [Seite 220]
12.2.4 - Local User Account Enabled/Disabled [Seite 220]
12.2.4.1 - Local User Account Was Enabled [Seite 220]
12.2.4.2 - Local User Account Was Disabled [Seite 222]
12.2.4.3 - Monitoring Scenarios: Account Enabled/Disabled [Seite 222]
12.2.5 - Local User Account Lockout Events [Seite 223]
12.2.5.1 - Local User Account Lockout [Seite 224]
12.2.5.1.1 - Local User Account Unlock [Seite 226]
12.2.5.2 - Monitoring Scenarios: Account Enabled/Disabled [Seite 227]
12.2.6 - Local User Account Change Events [Seite 227]
12.2.6.1 - Local User Account Change Event [Seite 228]
12.2.6.2 - Local User Account Name Change Event [Seite 232]
12.2.6.3 - Monitoring Scenarios: Account Changes [Seite 234]
12.2.6.4 - Blank Password Existence Validation [Seite 235]
12.3 - Chapter 6: Local Security Groups [Seite 237]
12.3.1 - Built-in Local Security Groups [Seite 239]
12.3.1.1 - Access Control Assistance Operators [Seite 241]
12.3.1.2 - Administrators [Seite 241]
12.3.1.3 - Backup Operators [Seite 241]
12.3.1.4 - Certificate Service DCOM Access [Seite 241]
12.3.1.5 - Cryptographic Operators [Seite 241]
12.3.1.6 - Distributed COM Users [Seite 242]
12.3.1.7 - Event Log Readers [Seite 243]
12.3.1.8 - Guests [Seite 243]
12.3.1.9 - Hyper-V Administrators [Seite 243]
12.3.1.10 - IIS_IUSRS [Seite 244]
12.3.1.11 - Network Configuration Operators [Seite 244]
12.3.1.12 - Performance Log Users [Seite 245]
12.3.1.13 - Performance Monitor Users [Seite 245]
12.3.1.14 - Power Users [Seite 245]
12.3.1.15 - Print Operators [Seite 245]
12.3.1.16 - Remote Desktop Users [Seite 245]
12.3.1.17 - Remote Management Users [Seite 246]
12.3.1.18 - Replicator [Seite 246]
12.3.1.19 - Storage Replica Administrators [Seite 246]
12.3.1.20 - System Managed Accounts Group [Seite 246]
12.3.1.21 - Users [Seite 246]
12.3.1.22 - WinRMRemoteWMIUsers__ [Seite 247]
12.3.2 - Built-in Local Security Groups Monitoring Scenarios [Seite 247]
12.3.2.1 - Local Security Group Creation [Seite 248]
12.3.2.1.1 - Successful Local Security Group Creation [Seite 248]
12.3.2.1.2 - Unsuccessful Local Security Group Creation - Access Denied [Seite 253]
12.3.2.1.3 - Monitoring Scenarios: Local Security Group Creation [Seite 254]
12.3.2.2 - Local Security Group Deletion [Seite 254]
12.3.2.2.1 - Successful Local Security Group Deletion [Seite 255]
12.3.2.2.2 - Unsuccessful Local Security Group Deletion - Access Denied [Seite 257]
12.3.2.2.3 - Unsuccessful Local Security Group Deletion - Other [Seite 258]
12.3.2.2.4 - Monitoring Scenarios: Local Security Group Deletion [Seite 259]
12.3.2.3 - Local Security Group Change [Seite 259]
12.3.2.3.1 - Successful Local Security Group Change [Seite 260]
12.3.2.3.2 - Unsuccessful Local Security Group Change - Access Denied [Seite 262]
12.3.2.3.3 - Monitoring Scenarios: Local Security Group Change [Seite 263]
12.3.2.4 - Local Security Group Membership Operations [Seite 263]
12.3.2.4.1 - Successful New Local Group Member Add Operation [Seite 264]
12.3.2.4.2 - Successful Local Group Member Remove Operation [Seite 267]
12.3.2.4.3 - Unsuccessful Local Group Member Remove/Add Operation - Access Denied [Seite 268]
12.3.2.4.4 - Monitoring Scenarios: Local Security Group Members Changes [Seite 269]
12.3.2.5 - Local Security Group Membership Enumeration [Seite 270]
12.3.2.5.1 - Monitoring Scenarios: Local Security Group Membership Enumeration [Seite 271]
12.4 - Chapter 7: Microsoft Active Directory [Seite 273]
12.4.1 - Active Directory Built-in Security Groups [Seite 273]
12.4.1.1 - Administrators [Seite 274]
12.4.1.2 - Account Operators [Seite 274]
12.4.1.3 - Incoming Forest Trust Builders [Seite 274]
12.4.1.4 - Pre-Windows 2000 Compatible Access [Seite 274]
12.4.1.5 - Server Operators [Seite 275]
12.4.1.6 - Terminal Server License Servers [Seite 275]
12.4.1.7 - Windows Authorization Access [Seite 275]
12.4.1.8 - Allowed RODC Password Replication Group [Seite 276]
12.4.1.9 - Denied RODC Password Replication Group [Seite 276]
12.4.1.10 - Cert Publishers [Seite 276]
12.4.1.11 - DnsAdmins [Seite 276]
12.4.1.12 - RAS and IAS Servers [Seite 277]
12.4.1.13 - Cloneable Domain Controllers [Seite 277]
12.4.1.14 - DnsUpdateProxy [Seite 277]
12.4.1.15 - Domain Admins [Seite 277]
12.4.1.16 - Domain Computers [Seite 277]
12.4.1.17 - Domain Controllers [Seite 278]
12.4.1.18 - Domain Users [Seite 278]
12.4.1.19 - Group Policy Creator Owners [Seite 278]
12.4.1.20 - Protected Users [Seite 278]
12.4.1.21 - Read-Only Domain Controllers [Seite 278]
12.4.1.22 - Enterprise Read-Only Domain Controllers [Seite 278]
12.4.1.23 - Enterprise Admins [Seite 279]
12.4.1.24 - Schema Admins [Seite 279]
12.4.2 - Built-in Active Directory Accounts [Seite 279]
12.4.2.1 - Administrator [Seite 279]
12.4.2.2 - Krbtgt [Seite 280]
12.4.2.3 - Directory Services Restore Mode (DSRM) Account [Seite 280]
12.4.3 - Active Directory Accounts Operations [Seite 281]
12.4.3.1 - Active Directory User Accounts Operations [Seite 281]
12.4.3.1.1 - Successful Active Directory User Creation [Seite 281]
12.4.3.1.2 - Unsuccessful Active Directory User Creation [Seite 286]
12.4.3.1.3 - Successful Active Directory User Deletion [Seite 287]
12.4.3.1.4 - Unsuccessful Active Directory User Deletion [Seite 288]
12.4.3.1.5 - Other Active Directory User Account Operations [Seite 288]
12.4.3.1.6 - Successful Active Directory User SID History Addition [Seite 288]
12.4.3.2 - Active Directory Computer Account Operations [Seite 289]
12.4.3.2.1 - Successful Computer Account Creation - Joining a Domain [Seite 289]
12.4.3.2.2 - Successful Computer Account Creation - Manual Creation [Seite 291]
12.4.3.2.3 - Unsuccessful Computer Account Creation [Seite 292]
12.4.3.2.4 - Successful Computer Account Deletion [Seite 293]
12.4.3.2.5 - Unsuccessful Computer Account Deletion [Seite 293]
12.4.3.2.6 - Successful Computer Account Modification [Seite 293]
12.4.3.2.7 - Unsuccessful Computer Account Modification [Seite 295]
12.4.4 - Active Directory Group Operations [Seite 295]
12.4.4.1 - Active Directory Group Creation [Seite 296]
12.4.4.2 - Active Directory Group Deletion [Seite 297]
12.4.4.3 - Active Directory Group Modification [Seite 298]
12.4.4.4 - Active Directory Group New Member Added [Seite 299]
12.4.4.5 - Active Directory Group Member Removed [Seite 301]
12.4.4.6 - Group Type and Scope Type Changes [Seite 302]
12.4.5 - Active Directory Trust Operations [Seite 303]
12.4.5.1 - Active Directory Trust Creation Operations [Seite 303]
12.4.5.2 - Active Directory Trust Modification Operations [Seite 308]
12.4.5.3 - Active Directory Trust Deletion Operations [Seite 309]
12.4.5.4 - Operations with Forest Trust Records [Seite 310]
12.4.5.4.1 - Active Directory Forest Trust Record Creation Operations [Seite 310]
12.4.5.4.2 - Active Directory Forest Trust Record Modification Operations [Seite 313]
12.4.5.4.3 - Active Directory Forest Trust Record Remove Operations [Seite 314]
12.4.6 - Domain Policy Changes [Seite 315]
12.4.6.1 - Password and Account Lockout Policies [Seite 315]
12.4.6.2 - Kerberos Policy [Seite 316]
12.4.7 - Account Password Migration [Seite 318]
12.5 - Chapter 8: Active Directory Objects [Seite 321]
12.5.1 - Active Directory Object SACL [Seite 322]
12.5.1.1 - Child Object Creation and Deletion Permissions [Seite 327]
12.5.1.2 - Extended Rights [Seite 328]
12.5.1.3 - Validated Writes [Seite 330]
12.5.1.4 - Properties [Seite 331]
12.5.1.5 - Default SACLs [Seite 332]
12.5.2 - Active Directory Object Change Auditing [Seite 340]
12.5.2.1 - Active Directory Object Creation [Seite 341]
12.5.2.2 - Active Directory Object Deletion [Seite 342]
12.5.2.3 - Active Directory Object Undeletion [Seite 343]
12.5.2.4 - Active Directory Object Movement [Seite 345]
12.5.2.5 - Active Directory Object Modification [Seite 346]
12.5.2.5.1 - Add Value Operation [Seite 346]
12.5.2.5.2 - Delete Value Operation [Seite 349]
12.5.3 - Active Directory Object Operation Attempts [Seite 349]
12.5.3.1 - Successful Active Directory Object Operation Attempts [Seite 349]
12.5.3.2 - Unsuccessful Active Directory Object Operation Attempts [Seite 354]
12.5.4 - Active Directory Objects Auditing Examples [Seite 356]
12.5.4.1 - Organizational Unit Creation/Deletion [Seite 356]
12.5.4.2 - Organizational Unit Child Object Creation/Deletion [Seite 356]
12.5.4.3 - adminCount Attribute Modification for User Accounts [Seite 356]
12.5.4.4 - Group Policy Link/Unlink Operations [Seite 357]
12.6 - Chapter 9: Authentication Protocols [Seite 359]
12.6.1 - NTLM-family Protocols [Seite 359]
12.6.1.1 - Challenge-Response Basics [Seite 359]
12.6.1.2 - LAN Manager [Seite 361]
12.6.1.2.1 - LM Hash [Seite 361]
12.6.1.2.2 - LM Challenge-Response Mechanism [Seite 363]
12.6.1.3 - NT LAN Manager [Seite 365]
12.6.1.3.1 - NTLM Hash [Seite 365]
12.6.1.3.2 - NTLM Challenge-Response Mechanism [Seite 366]
12.6.1.4 - NT LAN Manager V2 [Seite 366]
12.6.1.4.1 - NTLMv2 Challenge-Response Mechanism [Seite 366]
12.6.1.5 - NTLMSSP and Anonymous Authentication [Seite 369]
12.6.1.5.1 - NTLMv1 Session Security and NTLMv2 Session Security [Seite 369]
12.6.1.5.2 - NTLMv2 Session Response [Seite 370]
12.6.1.5.3 - Anonymous Authentication [Seite 371]
12.6.1.6 - NTLM-family Protocols Monitoring [Seite 371]
12.6.1.6.1 - Network Security: Restrict NTLM Security Group Policy Settings [Seite 371]
12.6.1.6.2 - Local Account Authentication [Seite 372]
12.6.1.6.3 - Domain Account Authentication [Seite 380]
12.6.1.6.4 - Cross-Domain Challenge-Response [Seite 383]
12.6.2 - Kerberos [Seite 384]
12.6.2.1 - Ticket-Granting Ticket (TGT) [Seite 384]
12.6.2.1.1 - Successful AS_REQ Message [Seite 388]
12.6.2.1.2 - Unsuccessful AS_REQ Message - Password Expired, Wrong Password, Smart Card Logon Issues [Seite 390]
12.6.2.1.3 - Unsuccessful AS_REQ Message - Other Scenarios [Seite 392]
12.6.2.1.4 - TGT Renewal [Seite 393]
12.6.2.2 - Ticket-Granting Service (TGS) Ticket [Seite 394]
12.6.2.2.1 - Successful TGS_REQ Message [Seite 398]
12.6.2.2.2 - Unsuccessful TGS_REQ and AP_REQ Messages [Seite 400]
12.7 - Chapter 10: Operating System Events [Seite 403]
12.7.1 - System Startup/Shutdown [Seite 404]
12.7.1.1 - Successful Normal System Shutdown [Seite 404]
12.7.1.2 - Unsuccessful Normal System Shutdown - Access Denied [Seite 406]
12.7.1.3 - Successful System Startup [Seite 407]
12.7.1.4 - Monitoring Scenarios: System Startup/Shutdown [Seite 407]
12.7.2 - System Time Changes [Seite 408]
12.7.2.1 - Successful System Time Zone Change [Seite 409]
12.7.2.2 - Unsuccessful System Time Zone Change [Seite 410]
12.7.2.3 - Successful System Clock Settings Change [Seite 410]
12.7.2.4 - Unsuccessful System Clock Settings Change [Seite 412]
12.7.2.5 - Monitoring Scenarios: System Time Changes [Seite 412]
12.7.3 - System Services Operations [Seite 412]
12.7.3.1 - Successful Service Installation - Prior to Windows 10/2016 [Seite 413]
12.7.3.2 - Successful Service Installation - Windows 10/2016 [Seite 415]
12.7.3.3 - Unsuccessful Service Installation - Access Denied [Seite 416]
12.7.3.4 - System Service State Changes [Seite 418]
12.7.3.5 - Unsuccessful Service Stop Operation - Access Denied [Seite 419]
12.7.3.6 - Monitoring Scenarios: System Services Operations [Seite 420]
12.7.4 - Security Event Log Operations [Seite 422]
12.7.4.1 - Successful Security Event Log Erase Operation [Seite 422]
12.7.4.2 - Unsuccessful Security Event Log Erase Operation [Seite 423]
12.7.4.3 - Successful Security Event Log Service Shutdown [Seite 423]
12.7.4.4 - Unsuccessful Security Event Log Service Shutdown [Seite 424]
12.7.4.5 - Monitoring Scenarios: Security Event Log Operations [Seite 424]
12.7.5 - Changes in Auditing Subsystem Settings [Seite 424]
12.7.5.1 - Successful Auditing Subsystem Security Descriptor Change [Seite 424]
12.7.5.2 - Unsuccessful Auditing Subsystem Security Descriptor Change [Seite 430]
12.7.5.3 - Successful System Audit Policy Changes [Seite 431]
12.7.5.4 - Unsuccessful System Audit Policy Changes [Seite 436]
12.7.5.5 - Monitoring Scenarios: Changes in Auditing Subsystem Settings [Seite 436]
12.7.6 - Per-User Auditing Operations [Seite 437]
12.7.6.1 - Successful Per-User Auditing Policy Changes [Seite 438]
12.7.6.2 - Unsuccessful Per-User Auditing Policy Changes [Seite 440]
12.7.6.3 - Per-User Auditing Database Initialization [Seite 440]
12.7.6.4 - Monitoring Scenarios: Per-User Auditing Operations [Seite 440]
12.7.7 - Scheduled Tasks [Seite 441]
12.7.7.1 - Successful Scheduled Task Creation [Seite 442]
12.7.7.2 - Unsuccessful Scheduled Task Creation - Access Denied [Seite 444]
12.7.7.3 - Successful Scheduled Task Deletion [Seite 446]
12.7.7.4 - Unsuccessful Scheduled Task Deletion [Seite 446]
12.7.7.5 - Successful Scheduled Task Change [Seite 446]
12.7.7.6 - Unsuccessful Scheduled Task Change [Seite 447]
12.7.7.7 - Successful Scheduled Task Enable/Disable Operations [Seite 447]
12.7.7.8 - Monitoring Scenarios: Scheduled Tasks [Seite 449]
12.7.8 - Boot Configuration Data Changes [Seite 449]
12.7.8.1 - Monitoring Scenarios: Boot Configuration Data [Seite 453]
12.8 - Chapter 11: Logon Rights and User Privileges [Seite 455]
12.8.1 - Logon Rights [Seite 455]
12.8.1.1 - Logon Rights Policy Modification [Seite 456]
12.8.1.1.1 - Logon Rights Policy Settings - Member Added [Seite 457]
12.8.1.1.2 - Logon Rights Policy Settings - Member Removed [Seite 457]
12.8.1.2 - Unsuccessful Logons Due to Lack of Logon Rights [Seite 458]
12.8.2 - User Privileges [Seite 458]
12.8.3 - User Privileges Policy Modification [Seite 463]
12.8.3.1 - User Privileges Policy Settings - Member Added [Seite 463]
12.8.3.2 - User Privileges Policy Settings - Member Removed [Seite 464]
12.8.4 - Special User Privileges Assigned at Logon Time [Seite 465]
12.8.5 - Logon Session User Privileges Operations [Seite 466]
12.8.5.1 - Privilege Use [Seite 467]
12.8.5.1.1 - Successful Call of a Privileged Service [Seite 467]
12.8.5.1.2 - Unsuccessful Call of a Privileged Service [Seite 468]
12.8.5.1.3 - Successful Operation with a Privileged Object [Seite 469]
12.8.5.1.4 - Unsuccessful Operation with a Privileged Object [Seite 471]
12.8.6 - Backup and Restore Privilege Use Auditing [Seite 471]
12.9 - Chapter 12: Windows Applications [Seite 473]
12.9.1 - New Application Installation [Seite 473]
12.9.1.1 - Application Installation Using Windows Installer [Seite 476]
12.9.1.2 - Application Removal Using Windows Installer [Seite 479]
12.9.1.3 - Application Installation Using Other Methods [Seite 480]
12.9.1.3.1 - Application Installation - Process Creation [Seite 480]
12.9.1.3.2 - Application Installation - Software Registry Keys [Seite 481]
12.9.1.3.3 - Application Installation - New Folders in Program Files and Program Files (x86) Folders [Seite 484]
12.9.1.4 - Application Removal Using Other Methods [Seite 484]
12.9.1.4.1 - Application Removal - Process Creation [Seite 484]
12.9.1.4.2 - Application Removal - Software Registry Keys [Seite 485]
12.9.1.4.3 - Application Removal - Folder Removal in the Program Files and Program Files (x86) Folders [Seite 487]
12.9.2 - Application Execution and Termination [Seite 489]
12.9.2.1 - Successful Process Creation [Seite 491]
12.9.2.1.1 - Successful Process Creation - CreateProcessWithLogonW initiated [Seite 496]
12.9.2.2 - Unsuccessful Process Creation [Seite 497]
12.9.2.3 - Process Termination [Seite 499]
12.9.3 - Application Crash Monitoring [Seite 500]
12.9.3.1 - Windows Error Reporting [Seite 503]
12.9.3.1.1 - WER Report [Seite 507]
12.9.4 - Windows AppLocker Auditing [Seite 507]
12.9.4.1 - AppLocker Policy [Seite 507]
12.9.4.2 - AppLocker Monitoring [Seite 508]
12.9.4.2.1 - EXE and DLL [Seite 510]
12.9.4.2.2 - MSI and Script [Seite 515]
12.9.4.2.3 - Packaged app-Execution and Packaged app-Deployment [Seite 516]
12.9.5 - Process Permissions and LSASS.exe Access Auditing [Seite 516]
12.9.5.1 - LSASS's Process Default SACL [Seite 518]
12.10 - Chapter 13: Filesystem and Removable Storage [Seite 521]
12.10.1 - Windows Filesystem [Seite 522]
12.10.1.1 - NTFS Security Descriptors [Seite 523]
12.10.1.1.1 - Inheritance [Seite 529]
12.10.1.1.2 - SACL [Seite 530]
12.10.2 - File and Folder Operations [Seite 531]
12.10.2.1 - File/Folder Creation [Seite 531]
12.10.2.1.1 - Successful File Creation [Seite 531]
12.10.2.1.2 - Unsuccessful File Creation [Seite 534]
12.10.2.1.3 - Successful Folder Creation [Seite 537]
12.10.2.1.4 - Unsuccessful Folder Creation [Seite 538]
12.10.2.2 - File/Folder Deletion [Seite 539]
12.10.2.2.1 - Successful File Deletion [Seite 539]
12.10.2.2.2 - Unsuccessful File Deletion [Seite 540]
12.10.2.2.3 - Successful Folder Deletion [Seite 540]
12.10.2.2.4 - Unsuccessful Folder Deletion [Seite 541]
12.10.2.3 - File Content Modification [Seite 541]
12.10.2.3.1 - Successful File Content Modification [Seite 541]
12.10.2.3.2 - Unsuccessful File Content Modification [Seite 542]
12.10.2.4 - File Read Data [Seite 542]
12.10.2.4.1 - Successful File Read Data Operations [Seite 542]
12.10.2.4.2 - Unsuccessful File Read Data Operations [Seite 543]
12.10.2.5 - File/Folder Attribute Changes [Seite 543]
12.10.2.5.1 - Successful File/Folder Attribute Changes [Seite 543]
12.10.2.5.2 - Unsuccessful File/Folder Attribute Changes [Seite 544]
12.10.2.6 - File/Folder Owner Change [Seite 544]
12.10.2.6.1 - Successful File/Folder Owner Change [Seite 544]
12.10.2.6.2 - Unsuccessful File/Folder Owner Change [Seite 545]
12.10.2.7 - File/Folder Access Permissions Change [Seite 546]
12.10.2.7.1 - Successful Access Permissions Changes [Seite 546]
12.10.2.7.2 - Unsuccessful Access Permissions Changes [Seite 547]
12.10.2.8 - File/Folder SACL Changes [Seite 547]
12.10.2.8.1 - Successful Auditing Settings (SACL) Change [Seite 547]
12.10.2.8.2 - Unsuccessful Auditing Settings Change [Seite 550]
12.10.3 - Removable Storage [Seite 551]
12.10.4 - Global Object Access Auditing: Filesystem [Seite 552]
12.10.5 - File System Object Integrity Levels [Seite 553]
12.10.5.1 - File System Object Integrity Level Modification [Seite 554]
12.10.5.2 - File System Object Access Attempt - Access Denied by Integrity Policy Check [Seite 556]
12.10.6 - Monitoring Recommendations [Seite 556]
12.10.6.1 - Monitoring Scenarios [Seite 557]
12.11 - Chapter 14: Windows Registry [Seite 559]
12.11.1 - Windows Registry Basics [Seite 559]
12.11.1.1 - Registry Key Permissions [Seite 562]
12.11.2 - Registry Operations Auditing [Seite 564]
12.11.2.1 - Registry Key Creation [Seite 564]
12.11.2.1.1 - Successful Registry Key Creation [Seite 564]
12.11.2.1.2 - Unsuccessful Registry Key Creation [Seite 567]
12.11.2.2 - Registry Key Deletion [Seite 568]
12.11.2.2.1 - Successful Registry Key Deletion [Seite 568]
12.11.2.2.2 - Unsuccessful Registry Key Deletion [Seite 569]
12.11.2.3 - Operations with Registry Key Values [Seite 569]
12.11.2.3.1 - Successful Registry Value Creation [Seite 570]
12.11.2.3.2 - Unsuccessful Registry Value Creation [Seite 571]
12.11.2.3.3 - Successful Registry Value Deletion [Seite 572]
12.11.2.3.4 - Unsuccessful Registry Value Deletion [Seite 574]
12.11.2.3.5 - Successful Registry Value Modification [Seite 574]
12.11.2.3.6 - Unsuccessful Registry Value Modification [Seite 575]
12.11.2.4 - Registry Key Read and Keys Enumeration Operations [Seite 575]
12.11.2.4.1 - Successful Registry Key Read Operation [Seite 575]
12.11.2.4.2 - Unsuccessful Registry Key Read Operation [Seite 576]
12.11.2.4.3 - Successful Registry Key Subkeys Enumeration [Seite 577]
12.11.2.4.4 - Unsuccessful Registry Key Subkeys Enumeration [Seite 578]
12.11.2.4.5 - Successful Registry Key Access Permissions Read [Seite 578]
12.11.2.4.6 - Unsuccessful Registry Key Access Permissions Read [Seite 579]
12.11.2.4.7 - Successful Registry Key Audit Permissions Read [Seite 579]
12.11.2.4.8 - Unsuccessful Registry Key Audit Permissions Read [Seite 581]
12.11.2.5 - DACL, SACL, and Ownership Change Operations [Seite 581]
12.11.2.5.1 - Successful Registry Key Access Permissions Change [Seite 582]
12.11.2.5.2 - Unsuccessful Registry Key Access Permissions Change [Seite 583]
12.11.2.5.3 - Successful Registry Key Audit Permissions Change [Seite 584]
12.11.2.5.4 - Unsuccessful Registry Key Audit Permissions Change [Seite 587]
12.11.2.5.5 - Successful Registry Key Owner Change [Seite 587]
12.11.3 - Global Object Access Auditing: Registry [Seite 589]
12.11.4 - Registry Key Integrity Levels [Seite 590]
12.11.4.1 - Registry Key Integrity Level Modification [Seite 590]
12.11.5 - Monitoring Recommendations [Seite 592]
12.11.5.1 - Monitoring Scenarios [Seite 593]
12.12 - Chapter 15: Network File Shares and Named Pipes [Seite 595]
12.12.1 - Network File Shares [Seite 595]
12.12.1.1 - Network File Share Access Permissions [Seite 599]
12.12.1.2 - File Share Creation [Seite 600]
12.12.1.2.1 - Successful File Share Creation [Seite 600]
12.12.1.2.2 - Monitoring Recommendations [Seite 601]
12.12.1.3 - File Share Deletion [Seite 602]
12.12.1.3.1 - Successful File Share Deletion [Seite 602]
12.12.1.3.2 - Unsuccessful File Share Deletion [Seite 603]
12.12.1.3.3 - Monitoring Recommendations [Seite 603]
12.12.1.4 - File Share Modification [Seite 603]
12.12.1.4.1 - Successful File Share Modification [Seite 604]
12.12.1.4.2 - Unsuccessful File Share Deletion [Seite 606]
12.12.1.4.3 - Monitoring Recommendations [Seite 606]
12.12.1.5 - File Share Access [Seite 606]
12.12.1.5.1 - Successful File Share Session Creation [Seite 606]
12.12.1.5.2 - Successful File Share File/Folder Operations [Seite 608]
12.12.1.5.3 - Unsuccessful Admin File Share Session Creation [Seite 610]
12.12.1.5.4 - Unsuccessful File Share Access - File Share Permissions [Seite 610]
12.12.1.5.5 - Unsuccessful File Share Access - File System Permissions [Seite 611]
12.12.1.5.6 - Monitoring Recommendations [Seite 612]
12.12.2 - Named Pipes [Seite 613]
12.12.2.1 - Successful Named Pipe Auditing Settings Changes [Seite 614]
12.12.2.2 - Unsuccessful Named Pipe Auditing Settings Changes [Seite 616]
12.12.2.3 - Successful Named Pipe Access Permissions Changes [Seite 617]
12.12.2.4 - Named Pipe Access Attempts [Seite 618]
12.12.2.5 - IPC$ Share Access Attempts [Seite 618]
12.12.2.6 - Monitoring Recommendations [Seite 620]
13 - Appendix A Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Ticket Options [Seite 621]
14 - Appendix B Kerberos AS_REQ, TGS_REQ, and AP_REQ Messages Result Codes [Seite 625]
15 - Appendix C SDDL Access Rights [Seite 633]
15.1 - Object-Specific Access Rights [Seite 634]
16 - Index [Seite 639]
17 - EULA [Seite 651]
