[Security Content] Windows Setup Guides - WinEventLog & Sysmon

audit_policies/windows/README.md

@@ -0,0 +1,46 @@
+## Windows Audit Policies
+
+This folder contains Windows related audit policies that need to be implemented in order to generate the events that power our detection rules. It serves as a centralized view of the policies we use so you don't need to go through every rule to know the different audit policies required.
+
+Audit Policies:
+
+* [Audit Audit Policy Change](audit_audit_policy_change.md)
+* [Audit Authorization Policy Change](audit_authorization_policy_change.md)
+* [Audit Detailed File Share](audit_detailed_file_share.md)
+* [Audit Directory Service Access](audit_directory_service_access.md)
+* [Audit Directory Service Changes](audit_directory_service_changes.md)
+* [Audit Filtering Platform Connection](audit_filtering_platform_connection.md)
+* [Audit Handle Manipulation](audit_handle_manipulation.md)
+* [Audit Logon](audit_logon.md)
+* [Audit Process Creation and Command Line](audit_process_creation_and_command_line.md)
+* [Audit Security Group Management](audit_security_group_management.md)
+* [Audit Security System Extension](audit_security_system_extension.md)
+* [Audit Sensitive Privilege Use](audit_sensitive_privilege_use.md)
+* [Audit Special Logon](audit_special_logon.md)
+* [Audit Token Right Adjusted Events](audit_token_right_adjusted_events.md)
+* [Audit User Account Management](audit_user_account_management.md)
+* [Audit Powershell Script Block Logging](audit_powershell_scriptblock.md)
+
+## Sysmon Configuration Guides
+
+**Caution:** The following guides provide minimal configuration examples designed to enable specific Sysmon Event IDs. Collecting Sysmon events without a tailored configuration for your environment will cause high data volume and potentially high CPU-load, and these setup instructions require significant tuning to be production-ready.
+
+To build an efficient and production-ready configuration, we strongly recommend exploring these community resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+For a production-ready and more integrated solution that is designed to work with our detection rules and also provide native Endpoint Protection and Response, check out [Elastic Endpoint Security](https://www.elastic.co/security/endpoint-security).
+
+* [Sysmon Event ID 1: Process Creation](sysmon_eventid1_process_creation.md)
+* [Sysmon Event ID 2: File Creation Time Changed](sysmon_eventid2_file_creation_time_changed.md)
+* [Sysmon Event ID 3: Network Connection](sysmon_eventid3_network_connection.md)
+* [Sysmon Event ID 7: Image Loaded](sysmon_eventid7_image_loaded.md)
+* [Sysmon Event ID 8: Create Remote Thread](sysmon_eventid8_createremotethread.md)
+* [Sysmon Event ID 10: Process Accessed](sysmon_eventid10_process_access.md)
+* [Sysmon Event ID 11: File Create](sysmon_eventid11_file_create.md)
+* [Sysmon Event IDs 12, 13, 14: Registry Events](sysmon_eventid12_13_14_registry_event.md)
+* [Sysmon Event IDs 17, 18: Named Pipe Events](sysmon_eventid17_18_pipe_event.md)
+* [Sysmon Event IDs 19, 20, 21: WMI Events](sysmon_eventid19_20_21_wmi_event.md)
+* [Sysmon Event ID 22: DNS Query](sysmon_eventid22_dns_query.md)
+* [Sysmon Event ID 23: File Delete](sysmon_eventid23_file_delete.md)

audit_policies/windows/audit_authorization_policy_change.md

@@ -0,0 +1,44 @@
+## Setup
+
+Some detection rules require monitoring changes to authorization policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into changes affecting user rights and security policies, helping maintain compliance and security.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Authorization Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Authorization Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Policy Change >
+**Audit Authorization Policy Change (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4703**: A user right was adjusted.
+* **4704**: A user right was assigned.
+* **4705**: A user right was removed.
+* **4670**: Permissions on an object were changed.
+* **4911**: Resource attributes of the object were changed.
+* **4913**: Central Access Policy on the object was changed.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224703%22+OR+%22Token+Right+Adjusted+Events%22+OR+%224704%22+OR+%22user-right-assigned%22+OR+%224705%22+OR+%22user-right-removed%22+OR+%224670%22+OR+%22permissions-changed%22+OR+%224911%22+OR+%224913%22%29++language%3ATOML&type=code

audit_policies/windows/audit_computer_account_management.md

@@ -0,0 +1,40 @@
+## Setup
+
+Some detection rules require monitoring computer account management events to track changes to computer accounts in the domain. Enabling this setting provides visibility into when computer accounts are created, changed, or deleted, which is crucial for detecting potential malicious activity like adding unauthorized computer accounts.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Computer Account Management` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Computer Account Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Account Management
+**Audit Computer Account Management (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4741**: A computer account was created.
+* **4742**: A computer account was changed.
+* **4743**: A computer account was deleted.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224741%22+OR+%22added-computer-account%22+OR+%224742%22+OR+%22changed-computer-account%22+OR+%224743%22+OR+%22deleted-computer-account%22%29+language%3ATOML+AND+NOT+%28%22%28for+example%2C+4741%29%22+OR+%22Review+the+event+ID+4741%22+OR+%22e.g.%2C+4741%22%29&type=code

audit_policies/windows/audit_detailed_file_share.md

@@ -0,0 +1,40 @@
+## Setup
+
+Some detection rules require monitoring file share access to detect unauthorized access attempts or modifications. Enabling this setting helps improve security visibility and ensures compliance by tracking access to shared files and folders.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Detailed File Share` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Detailed File Share` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+**Audit Detailed File Share (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"File Share" /success:enable /failure:disable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5145**: A network share object was checked to see whether client can be granted desired access.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225145%22+OR+%22network-share-object-access-checked%22%29++language%3ATOML&type=code

audit_policies/windows/audit_directory_service_access.md

@@ -0,0 +1,41 @@
+## Setup
+
+Some detection rules require configuring audit policies to generate events when Active Directory objects are accessed. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Access` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Access` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+**Audit Directory Service Access (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4661**: A handle to an object was requested.
+* **4662**: An operation was performed on an object.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224661%22+OR+%224662%22+OR+%22object-operation-performed%22%29++language%3ATOML&type=code

audit_policies/windows/audit_directory_service_changes.md

@@ -0,0 +1,68 @@
+## Setup
+
+Some detection rules require configuring audit policies to generate events when Active Directory objects are modified. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Changes` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Changes` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+**Audit Directory Service Changes (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
+```
+
+### Additional Settings
+
+The `Audit Directory Service Changes` policy does not cover all objects monitored by the detection rules. To address these gaps, in addition to enabling the audit policy, configure additional Access Control Entries (ACEs) using [Set-AuditRule](https://github.com/OTRF/Set-AuditRule) to ensure proper monitoring.
+
+Below is a list of example Audit Rules. Modify them to match the Distinguished Names specific to your environment:
+
+Audit changes on the MicrosoftDNS object:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
+```
+
+Audit changes on the msDS-KeyCredentialLink attribute of User objects:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success
+```
+
+Audit changes on the servicePrincipalName attribute of User objects:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5136**: A directory service object was modified.
+* **5137**: A directory service object was created.
+* **5138**: A directory service object was undeleted.
+* **5139**: A directory service object was moved.
+* **5141**: A directory service object was deleted.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225136%22+OR+%22directory-service-object-modified%22+OR+%225137%22+OR+%225138%22+OR+%225139%22+OR+%225141%22%29++language%3ATOML&type=code

audit_policies/windows/audit_filtering_platform_connection.md

@@ -0,0 +1,47 @@
+## Setup
+
+Some detection rules require monitoring network connections managed by the Windows Filtering Platform (WFP) to detect unauthorized or suspicious network activity.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Filtering Platform Connection` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Filtering Platform Connection` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Security Audit Policy Settings >
+Audit Policies >
+Object Access >
+Audit Filtering Platform Connection (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5031**: The Windows Firewall Service blocked an application from accepting incoming connections on the network.
+* **5150**: The Windows Filtering Platform blocked a packet.
+* **5151**: A more restrictive Windows Filtering Platform filter has blocked a packet.
+* **5154**: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+* **5155**: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+* **5156**: The Windows Filtering Platform has permitted a connection.
+* **5157**: The Windows Filtering Platform has blocked a connection.
+* **5158**: The Windows Filtering Platform has permitted a bind to a local port.
+* **5159**: The Windows Filtering Platform has blocked a bind to a local port.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225031%22+OR+%225150%22+OR+%225151%22+OR+%225154%22+OR+%225155%22+OR+%225156%22+OR+%22windows-firewall-connection%22+OR+%225157%22+OR+%22windows-firewall-packet-block%22+OR+%225158%22+OR+%22windows-firewall-bind-local-port%22+OR+%225159%22%29+language%3ATOML+AND+NOT+%28%224605157a5b80%22+OR+%225151a804f31b%22%29&type=code

audit_policies/windows/audit_filtering_platform_packet_drop.md

@@ -0,0 +1,41 @@
+## Setup
+
+Some detection rules require monitoring Filtering Platform Packet Drop events to detect when network packets are being dropped by the Windows Filtering Platform (WFP). Enabling this setting provides visibility into network traffic that is being blocked, which can be an indicator of malicious activity or network reconnaissance.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Filtering Platform Packet Drop` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Filtering Platform Packet Drop` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Object Access
+**Audit Filtering Platform Packet Drop (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5152**: The Windows Filtering Platform blocked a packet.
+* **5153**: A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225152%22+OR+%22windows-firewall-packet-drop%22+OR+%225153%22%29+language%3ATOML+AND+NOT+%28%22%28for+example%2C+5152%29%22+OR+%22Review+the+event+ID+5152%22+OR+%22e.g.%2C+5152%22%29&type=code