Transcription

Windows Event Loggingand ForwardingAPRIL 2019IntroductionA common theme identified by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) whileperforming investigations is that organisations have insufficient visibility of activity occurring on their workstations andservers. Good visibility of what is happening in an organisation’s environment is essential for conducting an effectiveinvestigation. It also aids incident response efforts by providing critical insights into the events relating to a cybersecurity incident and reduces the overall cost of responding to them.This document has been developed as a guide to the setup and configuration of Windows event logging andforwarding. This advice has been developed to support both the detection and investigation of malicious activity byproviding an ideal balance between the collection of important events and management of data volumes. This advice isalso designed to complement existing host-based intrusion detection and prevention systems.This document is intended for information technology and information security professionals. It covers the types ofevents which can be generated and an assessment of their relative value, centralised collection of event logs, theretention of event logs, and recommended Group Policy settings along with implementation notes.This document does not contain detailed information about analysing event logs.Accompanying this document is the ACSC’s Windows event logging repository 1. The repository contains configurationfiles and scripts to implement the recommendations in this document. All files and folders referred to in this documentare available from this repository.ConsiderationsThis document’s recommendations require the use of Microsoft Windows Server 2008 R2 and Microsoft Windows 7SP1, or newer versions. Some Group Policy settings used in this document may not be available or compatible withProfessional, Home or S editions of Windows.To enable accurate correlation of events, accurate and consistent time stamps must be used. Organisations arerecommended to ensure all devices in their environment (e.g. Windows hosts and network equipment) are configuredto use an accurate time source.As detailed in the Strategies to Mitigate Cyber Security Incidents 2, the recommended event log retention time is atleast 18 months; however, some organisations may have a regulatory requirement to retain event logs for a ecurityCentre/windows event egies-to-mitigate-cyber-security-incidents1

To assist with the management of recommendations in this document, the Group Policy settings discussed should beplaced in a separate Group Policy Object (GPO) with the scope set for all Windows hosts on the domain.All changes made to systems should be fully tested to ensure there are no unintended side effects to an organisation’snormal business processes. Testing should focus on the volume of logging generated and any impact on the network’sperformance, particularly where information may be transmitted across low bandwidth connections.The recommended Group Policy settings in this document use advanced audit policies which may override existinglegacy audit policies3. Care should be taken to ensure that existing legacy audit policies are migrated to advanced auditpolicies.Sysmon (System Monitor)4, a tool published by Microsoft, provides greater visibility of system activity on a Windowshost than standard Windows logging. Organisations are recommended to use this tool in their Windows environment.Event log retentionThe Windows default settings have log sizes set to a relatively small size and will overwrite events as the log reaches itsmaximum size. This introduces risk as important events could be quickly overwritten. To reduce this risk, the Securitylog size needs to be increased from its default size of 20 MB. The Application and System log sizes should also beincreased, but typically these do not contain as much data and hence do not need to be as large as the Security log. Thedefault log sizes are acceptable in environments where local storage is limited (e.g. virtual infrastructure environments)provided logs are being forwarded.The Group Policy settings provided in the table below will increase the maximum Security log size to 2 GB and themaximum Application and System log sizes to 64 MB. This will provide a balance between data usage, local logretention and performance when analysing local event logs. Note that these changes will increase the data storagerequirements for each Windows host on the network.Group Policy SettingRecommendation OptionComputer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\ApplicationSpecify the maximum log file size (KB)EnabledMaximum Log Size (KB): 65536Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\SecuritySpecify the maximum log file size (KB)EnabledMaximum Log Size (KB): 2097152Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\SystemSpecify the maximum log file size (KB)EnabledMaximum Log Size (KB): 08/ff182311(v ls/downloads/sysmon2

Event categoriesThe default Windows settings provide only a subset of the desired logging events that assist in detecting andinvestigating malicious activity. This section covers the event categories that will significantly enhance technicalanalysis.Each event category can be deployed independently and categories in the table below are ordered by the usefulness ofthe data source for detection and investigation. In general, most event categories are highly recommended. The list isnot exhaustive and organisations should include additional event logs specific to their auditing requirements.Each of the event categories below are accompanied by supplied subscription files. The subscriptions are used byWindows Event Forwarding to forward the locally generated events while filtering out the less valuable events.Event sSysmonProvides visibility ofprocess creation andtermination, driver andlibrary loads, networkconnections, file creation,registry changes, processinjection, and more.Detects many forms ofmalware execution,persistence and misuse oflegitimate tools includingapplication whitelistingbypasses. Detects processinjection and some formsof credential andpassword hash access.VeryHighVeryHighIf Sysmon can’t bedeployed useprocess trackinginstead.Account lockoutRecords account lockoutactivity.Detects password bruteHighforcing attempts, which anadversary could use toaccess an account.LowNoneAccountmodificationsRecords creation andmodification of accountsand groups.Detects unauthorisedHighcreation or modification ofaccounts withadministrative privileges.LowNoneEvent collectionForwards changes anderrors with auditing, eventcollection and eventforwarding.Verifies Windows hosts on Highthe network are auditing,collecting and forwardinglogs as expected. Detectsattempts by an adversaryto suppress loggingevidence.LowNoneAccount logonRecords activity related toaccounts logging in andout.Detects unauthorised useof accounts, includingindicators of an adversarymoving laterally throughthe network.MediumNoneHigh3

Process trackingProvides visibility ofprocess creation andtermination, includingcommand line arguments(without requiringSysmon).Detects the execution ofsome forms of malwareand misuse of legitimatetools, including someforms of applicationwhitelisting bypasses.HighHighShould only beimplemented ifSysmon can’t bedeployed.AppLockerProvides visibility ofprograms blocked byapplication whitelisting.Detects malware that hasbeen prevented fromexecuting by applicationwhitelisting.MediumLowOnly beneficial ifAppLocker cords EnhancedMitigation ExperienceToolkit (EMET) eventsrelating to mitigations thathave been applied.Detects exploitationattempts that have beensuccessfully blocked byEMET.MediumLowOnly applicable ifEMET is installedand configured.EMET is notavailable onMicrosoft Windows10 version 1709and later.ServicesProvides informationabout the installation ofservices.Detects installation ofservices that are used forpersistence or lateralmovement by anadversary.MediumLowNoneWindowsDefenderRecords when exploitmitigations have beenapplied by WindowsDefender Exploit Guard.Records WindowsDefender Antivirusdetection events anderrors or problems withrunning or updating thesoftware.Detects exploitationMediumattempts that have beensuccessfully blocked.Detects malware that hasbeen successfully blockedand verifies the software isrunning and updatingcorrectly.LowIf WindowsDefender Antivirusis not used, logsfrom other antivirussoftware should beforwarded. ExploitGuard has beenavailable sinceMicrosoft Windows10 version 1709.Windows ErrorReportingRecords when anapplication crashes.Detects exploitationMediumattempts and unstableapplications, which mayindicate malicious activity.LowNoneCode IntegrityRecords code integrityviolations for drivers andprotected processes. IfDevice Guard isconfigured, it also recordssystem-wide code integrityviolations.Detects malware orMediumrestricted applications thatare being audited orprevented from executingby code integrity checks.LowVisibility isincreased if DeviceGuard isconfigured.orMedium(withDeviceGuard)4

File sharesRecords creation,Detects access andMediummodification and access of modification of file shares.This includes lateralfile shares.movement and access tofile shares used toexfiltrate data from thenetwork.MediumNoneScheduled tasksRecords the creation andmodification of scheduledtasks.Detects scheduled tasksMediumbeing added or modified.This may include tasksused for lateralmovement, persistence orelevation to mentationauditingProduces audit records forlocal and remote WindowsManagementInstrumentation (WMI)operations in sensitivepaths.Detects the use of WMI by Mediuman adversary for local orremote reconnaissance,lateral movement andpersistence.MediumNoneNTLMauthenticationRecords outgoing NTLMauthentication usage.Detects intentional orLowunintentional NTLM leaksthat could be used by anadversary to authenticateremotely or to escalateprivileges within a domain.MediumNoise depends onNTLM use in thenetwork.Object accessauditingProduces auditing on filepaths, registry keys andprocesses with pre-existingaudit permissions.Detects some forms ofunauthorised changes tosensitive files and registrykeys, and some forms ofcredential and passwordhash access.LowMediumNonePowerShellRecords PowerShellactivity includinginteractive and scriptusage.Detects PowerShell beingused by an adversary.LowHighNoneEvent category configurationSysmonSysmon records key events that will assist in an investigation of malware or the misuse of native Windows tools. Theseevents include process creation and termination, driver and library loads, network connections, file creation, registrychanges, process injection, named pipe usage and WMI-based persistence. Sysmon also supports filtering of events tokeep logging at a manageable level.5

The Sysmon configuration file defines what events will be recorded. A default Sysmon configuration file is supplied inevents/sysmon/sysmon config.xml and should be suitable for most environments. To further filter or control eventsthat are forwarded, the Sysmon configuration may be customised and Sysmon subscriptions may be enabled ordisabled.As with all software, Sysmon should be installed by following the agreed software deployment practices for thenetwork. Sysmon can be deployed by Group Policy settings or the System Centre Configuration Manager (SCCM). Noother Group Policy setting changes are necessary as all Sysmon’s configuration information is contained in theconfiguration file.Guidance on the creation of an installation file (i.e. MSI file) that may simplify the deployment of Sysmon is supplied inevents/sysmon/msi/README.txt. Alternatively, the following commands can be used to maintain Sysmon from a scriptor command line tool: Installation: sysmon -accepteula -i or sysmon -accepteula -i sysmon config.xml Configuration: sysmon -c sysmon config.xml Uninstallation: sysmon –u.The end-user license agreement must be accepted before using Sysmon.Account lockoutThe following Group Policy setting can be implemented to record events related to accounts being locked andunlocked.Group Policy SettingRecommendation OptionComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/LogoffAudit Account LockoutSuccessAccount modificationsThe following Group Policy settings can be implemented to record events related to account creation or deletion, aswell as modifications to account groups.Group Policy SettingRecommendation OptionComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Account ManagementAudit Computer Account ManagementSuccess and FailureAudit Other Account Management EventsSuccess and FailureAudit Security Group ManagementSuccess and FailureAudit User Account ManagementSuccess and Failure6

Event collectionThis event category records and forwards auditing policy changes, when event logs are cleared and failures with eventlogging. Many of these events are recorded by default, but the following Group Policy settings further increase visibility.The subscription will forward, if possible, warnings and errors resulting from problems with Windows Event Forwarding.These logs can detect errors related to incorrectly formed subscriptions and can assist with debugging.Group Policy SettingRecommendation OptionComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\PolicyChangeAudit Audit Policy ChangeSuccess and FailureAudit Other Policy Change EventsSuccess and FailureComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\SystemAudit System IntegritySuccess and FailureAccount logonThe following Group Policy settings can be implemented to record logon and logoff events including interactive logons,network logons and logons using explicit credentials.The subscription will not forward Kerberos logon events which produce a high level of noise on a typical network. Thismay obscure the misuse of Kerberos tickets; however, this information will still be available on each local machine.Group Policy SettingRecommendation OptionComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/LogoffAudit Group MembershipSuccess(only available on Microsoft Windows 10 and MicrosoftWindows Server 2016)Audit LogoffSuccessAudit LogonSuccess and FailureAudit Other Logon/Logoff EventsSuccess and FailureAudit Special LogonSuccess and Failure7

Process trackingThe following Group Policy settings can be implemented to record process creation and termination events.Organisations are recommended to collect this information through Sysmon. If Sysmon can’t be used, process trackingevents can be collected through this native Windows logging.It is important to increase the value of the process creation events by including command line arguments with processcreation events. This feature is enabled for Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2, and newerversions. For earlier versions of Windows, an update is available. For more information see Microsoft SecurityAdvisory 3004375 5 and Update to improve Windows command-line auditing 6.Group Policy SettingRecommendation OptionComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Detailed TrackingAudit Process CreationSuccessAudit Process TerminationSuccessComputer Configuration\Policies\Administrative Templates\System\Audit Process CreationInclude command line in process creation eventsEnabledAppLockerThis event category will forward audit or deny events from AppLocker7. AppLocker must be configured in eitherauditing or enforcement mode for events to be generated. For more information, see the application whitelistingsection of the Microsoft Windows hardening guide publications8 and the Implementing Application Whitelistingpublication9. If a third party application whitelisting tool is used, follow the tool’s documentation to enable and forwardlogging. At a minimum, blocked execution events should be logged.Enhanced Mitigation Experience ToolkitThe Enhanced Mitigation Experience Toolkit (EMET) 10 was designed by the Microsoft Security Research Center (MSRC)to enable additional system-wide and application-specific protection against software exploitation. However, Microsofthas since ceased support for EMET as many of the mitigation measures have been incorporated into Windows DefenderExploit rotectionexploit-guard68

EMET still provides significant security benefits for versions of Windows prior to Microsoft Windows 10 version 1709,especially by applying application-specific mitigation measures to third-party applications12.This event category will forward warnings and errors generated by EMET. EMET must be installed and configuredcorrectly for events to be generated. For further information, see the Enhanced Mitigation Experience Toolkit section ofthe Microsoft Windows hardening guide publications13.ServicesThis event category will forward events when services have been installed. It does not require any change to GroupPolicy settings. This category will also forward events related to the event log service being shut down.Windows DefenderThis event category will forward configuration changes, update issues and malware detected by Windows DefenderAntivirus. If third-party antivirus software is used, the vendor’s documentation should be followed to enable andforward logging to a central location. At a minimum, configuration changes, update issues and malware detectionevents should be logged and forwarded.Windows Defender Exploit Guard has been available since Microsoft Windows 10 version 1709, and this event categorywill forward exploit mitigations being applied. Audit mode events can also be forwarded by enabling the supplied auditsubscription.Windows Defender Exploit Protection, which superseded EMET and is a component of Windows Defender ExploitGuard, will still run if third-party antivirus software is used. Exploit Protection is enabled by default and can beconfigured as required14.Events from the Windows Defender Exploit Guard components, Attack Surface Reduction, Network Protection andControlled Folder Access require Windows Defender Antivirus’s real-time antivirus scanning engine to be enabled 15.Windows Error ReportingThis event category will forward application crashes and it does not require any change to Group Policy settings.Code integrityThis event category will forward code integrity violations, and the following Group Policy settings will increase integritylogging