mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,169 @@
|
||||
---
|
||||
name: configuring-windows-event-logging-for-detection
|
||||
description: >
|
||||
Configures Windows Event Logging with advanced audit policies to generate high-fidelity security
|
||||
events for threat detection and forensic investigation. Use when enabling audit policies for
|
||||
logon events, process creation, privilege use, and object access to feed SIEM detection rules.
|
||||
Activates for requests involving Windows audit policy, event log configuration, security
|
||||
logging, or detection-oriented logging.
|
||||
domain: cybersecurity
|
||||
subdomain: endpoint-security
|
||||
tags: [endpoint, windows-security, event-logging, audit-policy, detection-engineering]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
# Configuring Windows Event Logging for Detection
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when:
|
||||
- Configuring Windows Advanced Audit Policy for security monitoring
|
||||
- Enabling process creation auditing with command line logging (Event 4688)
|
||||
- Setting up logon/logoff auditing for authentication monitoring
|
||||
- Sizing event log storage and forwarding to SIEM platforms
|
||||
|
||||
**Do not use** for Sysmon configuration (separate skill) or Linux audit logging.
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Configure Advanced Audit Policy via GPO
|
||||
|
||||
```
|
||||
Computer Configuration → Windows Settings → Security Settings
|
||||
→ Advanced Audit Policy Configuration → Audit Policies
|
||||
|
||||
Recommended settings:
|
||||
Account Logon:
|
||||
- Audit Credential Validation: Success, Failure
|
||||
- Audit Kerberos Authentication: Success, Failure
|
||||
|
||||
Account Management:
|
||||
- Audit Security Group Management: Success
|
||||
- Audit User Account Management: Success, Failure
|
||||
|
||||
Logon/Logoff:
|
||||
- Audit Logon: Success, Failure
|
||||
- Audit Logoff: Success
|
||||
- Audit Special Logon: Success
|
||||
- Audit Other Logon/Logoff Events: Success, Failure
|
||||
|
||||
Object Access:
|
||||
- Audit File Share: Success, Failure
|
||||
- Audit Removable Storage: Success, Failure
|
||||
- Audit SAM: Success
|
||||
|
||||
Policy Change:
|
||||
- Audit Audit Policy Change: Success, Failure
|
||||
- Audit Authentication Policy Change: Success
|
||||
|
||||
Privilege Use:
|
||||
- Audit Sensitive Privilege Use: Success, Failure
|
||||
|
||||
Detailed Tracking:
|
||||
- Audit Process Creation: Success
|
||||
- Audit DPAPI Activity: Success, Failure
|
||||
```
|
||||
|
||||
### Step 2: Enable Command Line in Process Creation Events
|
||||
|
||||
```powershell
|
||||
# Registry: Enable command line logging in Event 4688
|
||||
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
|
||||
-Name ProcessCreationIncludeCmdLine_Enabled -Value 1 -PropertyType DWORD -Force
|
||||
|
||||
# GPO: Computer Configuration → Administrative Templates → System → Audit Process Creation
|
||||
# "Include command line in process creation events" → Enabled
|
||||
```
|
||||
|
||||
### Step 3: Configure Event Log Sizes
|
||||
|
||||
```powershell
|
||||
# Increase Security log to 1 GB (default 20 MB is insufficient)
|
||||
wevtutil sl Security /ms:1073741824
|
||||
|
||||
# Increase PowerShell Operational log
|
||||
wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:536870912
|
||||
|
||||
# Set log retention to overwrite as needed
|
||||
wevtutil sl Security /rt:false
|
||||
|
||||
# Configure via GPO:
|
||||
# Computer Configuration → Administrative Templates → Windows Components
|
||||
# → Event Log Service → Security
|
||||
# Maximum log file size (KB): 1048576
|
||||
```
|
||||
|
||||
### Step 4: Configure Windows Event Forwarding (WEF)
|
||||
|
||||
```powershell
|
||||
# On collector server:
|
||||
wecutil qc /q
|
||||
|
||||
# Create subscription for high-value events:
|
||||
# Event IDs: 4624 (logon), 4625 (failed logon), 4688 (process create),
|
||||
# 4672 (special privilege), 4720 (user created), 4728 (group membership),
|
||||
# 7045 (service installed), 1102 (log cleared)
|
||||
|
||||
# On source endpoints (GPO):
|
||||
# Configure WinRM: winrm quickconfig
|
||||
# Configure event forwarding: Computer Configuration → Admin Templates
|
||||
# → Windows Components → Event Forwarding
|
||||
# Configure target Subscription Manager: Server=http://collector:5985/wsman/SubscriptionManager/WEC
|
||||
```
|
||||
|
||||
### Step 5: Key Event IDs for Detection
|
||||
|
||||
```
|
||||
Authentication Events:
|
||||
4624 - Successful logon (Type 2=Interactive, 3=Network, 10=RemoteInteractive)
|
||||
4625 - Failed logon attempt
|
||||
4648 - Logon using explicit credentials (RunAs, pass-the-hash indicator)
|
||||
4672 - Special privileges assigned (admin logon)
|
||||
4776 - NTLM credential validation
|
||||
|
||||
Process Events:
|
||||
4688 - Process creation (with command line if enabled)
|
||||
4689 - Process termination
|
||||
|
||||
Account Events:
|
||||
4720 - User account created
|
||||
4722 - User account enabled
|
||||
4724 - Password reset attempted
|
||||
4728 - Member added to security group
|
||||
4732 - Member added to local group
|
||||
4756 - Member added to universal group
|
||||
|
||||
Service/System Events:
|
||||
7045 - New service installed (persistence indicator)
|
||||
1102 - Audit log cleared (evidence tampering)
|
||||
4697 - Service installed in the system
|
||||
|
||||
Lateral Movement Indicators:
|
||||
4648 + 4624(Type 3) - Credential-based lateral movement
|
||||
5140 - Network share accessed
|
||||
5145 - Network share access check (detailed file share)
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|-----------|
|
||||
| **Advanced Audit Policy** | Granular audit subcategories (58 subcategories vs. 9 basic categories) |
|
||||
| **Event ID 4688** | Process creation event; essential for tracking execution on endpoints |
|
||||
| **WEF** | Windows Event Forwarding; centralized log collection without third-party agents |
|
||||
| **Logon Type** | Numeric code indicating authentication method (2=interactive, 3=network, 10=RDP) |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
- **Windows Event Forwarding (WEF)**: Built-in centralized log collection
|
||||
- **NXLog**: Open-source log forwarding agent for Windows events
|
||||
- **Winlogbeat**: Elastic Agent for shipping Windows event logs to Elasticsearch
|
||||
- **Palantir WEF Configuration**: Open-source WEF subscription templates
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
- **Using basic audit policy instead of advanced**: Basic and advanced audit policies conflict. Always use advanced audit policy exclusively.
|
||||
- **Default log size too small**: 20 MB Security log fills in minutes on busy servers. Set minimum 1 GB.
|
||||
- **Missing command line logging**: Event 4688 without command line content has minimal detection value. Always enable ProcessCreationIncludeCmdLine_Enabled.
|
||||
- **Not forwarding logs**: Local event logs are lost when endpoints are wiped by ransomware. Forward to centralized SIEM immediately.
|
||||
@@ -0,0 +1,20 @@
|
||||
# Windows Event Logging Configuration Template
|
||||
|
||||
## Audit Policy Settings
|
||||
| Subcategory | Setting | Status |
|
||||
|-------------|---------|--------|
|
||||
| Credential Validation | Success, Failure | |
|
||||
| Logon | Success, Failure | |
|
||||
| Process Creation | Success | |
|
||||
| Special Logon | Success | |
|
||||
|
||||
## Log Sizes
|
||||
| Log | Size | Retention |
|
||||
|-----|------|-----------|
|
||||
| Security | 1 GB | Overwrite |
|
||||
| PowerShell/Operational | 512 MB | Overwrite |
|
||||
|
||||
## Sign-Off
|
||||
| Role | Name | Date |
|
||||
|------|------|------|
|
||||
| Security | | |
|
||||
@@ -0,0 +1,6 @@
|
||||
# Standards & References
|
||||
- **NIST SP 800-92**: Guide to Computer Security Log Management
|
||||
- **CIS Benchmark Section 17**: Advanced Audit Policy Configuration
|
||||
- **NSA/CISA Event Forwarding Guidance**: Recommended events for Windows monitoring
|
||||
- **Palantir WEF Config**: https://github.com/palantir/windows-event-forwarding
|
||||
- **SANS Windows Logging Cheat Sheet**: https://www.sans.org/posters/
|
||||
@@ -0,0 +1,8 @@
|
||||
# Workflows
|
||||
## Event Logging Deployment
|
||||
```
|
||||
[Audit current logging configuration] → [Enable Advanced Audit Policy via GPO]
|
||||
→ [Enable command line logging] → [Increase log sizes]
|
||||
→ [Configure WEF or agent-based forwarding] → [Verify events in SIEM]
|
||||
→ [Build detection rules from high-value events] → [Quarterly logging audit]
|
||||
```
|
||||
@@ -0,0 +1,64 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Windows Event Logging Auditor - Checks current audit policy configuration."""
|
||||
|
||||
import json, subprocess, sys, os
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
def get_audit_policy() -> dict:
|
||||
"""Query current advanced audit policy via auditpol."""
|
||||
try:
|
||||
result = subprocess.run(
|
||||
["auditpol", "/get", "/category:*"],
|
||||
capture_output=True, text=True, timeout=15,
|
||||
)
|
||||
if result.returncode != 0:
|
||||
return {"error": result.stderr}
|
||||
|
||||
policies = {}
|
||||
current_category = ""
|
||||
for line in result.stdout.splitlines():
|
||||
line = line.strip()
|
||||
if not line:
|
||||
continue
|
||||
if " " not in line and line.endswith(":"):
|
||||
continue
|
||||
parts = line.rsplit(" ", 1)
|
||||
if len(parts) == 2:
|
||||
name = parts[0].strip()
|
||||
setting = parts[1].strip()
|
||||
policies[name] = setting
|
||||
return policies
|
||||
except FileNotFoundError:
|
||||
return {"error": "auditpol not available (requires Windows)"}
|
||||
|
||||
|
||||
RECOMMENDED = {
|
||||
"Credential Validation": "Success and Failure",
|
||||
"Security Group Management": "Success",
|
||||
"User Account Management": "Success and Failure",
|
||||
"Logon": "Success and Failure",
|
||||
"Logoff": "Success",
|
||||
"Special Logon": "Success",
|
||||
"Process Creation": "Success",
|
||||
"Audit Policy Change": "Success",
|
||||
"Sensitive Privilege Use": "Success and Failure",
|
||||
}
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
policies = get_audit_policy()
|
||||
if "error" in policies:
|
||||
print(f"Error: {policies['error']}")
|
||||
sys.exit(1)
|
||||
|
||||
compliant = 0
|
||||
total = len(RECOMMENDED)
|
||||
for setting, expected in RECOMMENDED.items():
|
||||
actual = policies.get(setting, "No Auditing")
|
||||
status = "PASS" if expected in actual else "FAIL"
|
||||
if status == "PASS":
|
||||
compliant += 1
|
||||
print(f"[{status}] {setting}: {actual} (expected: {expected})")
|
||||
|
||||
print(f"\nScore: {compliant}/{total} ({round(compliant/total*100)}%)")
|
||||
Reference in New Issue
Block a user