What's New Windows 10 Security Log Whitepaper 2015 Randy Franklin Smith January 2016 Scoping User Privileges After a system is compromised, the first action of a threat actor is to assess the current state of access by determining whether the breached user is privileged and if it is not, they will search for other accounts with higher privileges on the compromised machine. This kind of information potentially allows the threat actor to target those users via pass-the-hash attacks. Event 4798: To Which Groups Does This User Belong? When a user’s local group memberships are enumerated, Windows 10 now generates event ID 4798, as shown in the following figure. This event documents the enumeration, which user was enumerated, the user who requested the enumeration, and which process was used to perform the enumeration. Seeing an enumeration performed by any account other than the domain admin (which might be modifying local memberships) or via any process other than MMC.exe (such as via a NET LOCAL command) might indicate inappropriate activity. These details can help a Security Information and Event Management (SIEM) solution properly filter out approved activity. To generate this detailed event, you need to enable the Audit User Account Management policy. You should enable this policy on all endpoints, including domain controllers. On domain controllers, this audit policy tracks the enumeration of domain user accounts, whereas member servers and Windows 10 clients track the enumeration of local user accounts. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 3 Randy Franklin Smith January 2016 Event 4799: Who Are Members of This Local Group? In another spin on the same attack vector, a threat actor starts with a known local group (such as the local Administrators group) and works to figure out who is in that group by enumerating its members (instead of starting with a user and enumerating the groups to which that user belongs). When local groups are enumerated, Windows 10 can be configured to generate event 4799, which documents the enumerated group, the user that requested the enumeration, and the process name that was used to perform the enumeration. This event requires you to enable generation of the Audit Security Group Management policy. LogRhythm MDI Insight Using dynamic baselining, focus on the responsible process—typically Microsoft Management Console (MMC). Use trending to identify what is “normal” in your environment and to notify you when a new process is responsible for causing this event. Even if the appropriate process changes in the next version of Windows, the beauty of dynamic baselining is that IT gets a notification the first time the responsible process changes, at which time IT can determine whether action is required. That new process then becomes part of the baseline, eliminating multiple false positives. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 4 Please complete the form to gain access to this content Access Now Related Resources Forrester Security Analytics Platform Wave Report 2018 Mis-behaving: the Evolution of the Insider Threat (WEBCAST) LogRhythm UEBA Overview 2018 SANS Reviews LogRhythm CloudAI for UEBA 2018 Cybersecurity: Perceptions and Practices Benchmark Survey SANS LogRhythm Review - Speed and Scalability Matter Gartner Market Guide for UEBA (2018) How to Deploy a SIEM Successfully by Gartner Automation Suite for NIST 800-53 Compliance Gartner Names LogRhythm a leader in 2017 Magic Quadrant for Security Information and Event Management (SIEM) LogRhythm How to Build a SOC With Limited Resources White Paper 2017 Forrester Wave: Security Analytics Platforms, Q1 2017 Analyst Report UBM Building and Instrumenting the Next Generation SOC Webinar 2016 LogRhythm Security Intelligence and Analytics in the Public Sector Whitepaper 2016 LogRhythm Ransomware Infographic 2016* UWS | Anatomy of a Hack Disrupt Whitepaper 2016 Security Current CISOs Investigate User Behavior Analytics Whitepaper 2016 CyberEdge Defense Report Whitepaper 2016* LogRhythm OilRig Malware Campaign Whitepaper 2017 LogRhythm Ransomware Threat Whitepaper 2016 LogRhythm Threat Lifecycle Management Whitepaper 2016*
Randy Franklin Smith January 2016 Scoping User Privileges After a system is compromised, the first action of a threat actor is to assess the current state of access by determining whether the breached user is privileged and if it is not, they will search for other accounts with higher privileges on the compromised machine. This kind of information potentially allows the threat actor to target those users via pass-the-hash attacks. Event 4798: To Which Groups Does This User Belong? When a user’s local group memberships are enumerated, Windows 10 now generates event ID 4798, as shown in the following figure. This event documents the enumeration, which user was enumerated, the user who requested the enumeration, and which process was used to perform the enumeration. Seeing an enumeration performed by any account other than the domain admin (which might be modifying local memberships) or via any process other than MMC.exe (such as via a NET LOCAL command) might indicate inappropriate activity. These details can help a Security Information and Event Management (SIEM) solution properly filter out approved activity. To generate this detailed event, you need to enable the Audit User Account Management policy. You should enable this policy on all endpoints, including domain controllers. On domain controllers, this audit policy tracks the enumeration of domain user accounts, whereas member servers and Windows 10 clients track the enumeration of local user accounts. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 3 Randy Franklin Smith January 2016 Event 4799: Who Are Members of This Local Group? In another spin on the same attack vector, a threat actor starts with a known local group (such as the local Administrators group) and works to figure out who is in that group by enumerating its members (instead of starting with a user and enumerating the groups to which that user belongs). When local groups are enumerated, Windows 10 can be configured to generate event 4799, which documents the enumerated group, the user that requested the enumeration, and the process name that was used to perform the enumeration. This event requires you to enable generation of the Audit Security Group Management policy. LogRhythm MDI Insight Using dynamic baselining, focus on the responsible process—typically Microsoft Management Console (MMC). Use trending to identify what is “normal” in your environment and to notify you when a new process is responsible for causing this event. Even if the appropriate process changes in the next version of Windows, the beauty of dynamic baselining is that IT gets a notification the first time the responsible process changes, at which time IT can determine whether action is required. That new process then becomes part of the baseline, eliminating multiple false positives. What’s New in the Windows 10 Security Log | Copyright © LogRhythm 2016 Page 4
