Here’s our list of the top 11 Windows events you should monitor. This list is not exhaustive, but it provides a starting point from which you can identify the most potentially-threatening behaviors on your network.
1. User Rights Changes
You want to know when users are added, deleted, or if their access rights change. Most of the time, these events will be standard procedure. However, if malicious users make it into your network, they’ll want to gain as much access as possible—meaning that it’s likely they will try to alter account settings.
2. Group Settings
Active Directory groups are used to manage access rights, so, if any settings related to groups change, it could be an indicator that a malicious user has infiltrated your network and is attempting to join a privileged user group or even remove employees from that privileged group.
3. Account Lockouts
Generally, account lockouts mean a user has simply forgotten his or her password or mistyped it. However, it could also indicate that a threat agent is attempting a brute force attack on a user’s account.
4. Event Log Clearing
Event logs are what you use to keep track of what’s occurring on your network. It’s where all the events on this list will be logged. You’ll be required to retain these logs for a set period of time for most compliance frameworks, so deletion of them is often an indication of a threat agent trying to cover their tracks.
5. Firewall Rule Changes
Your firewalls exist to keep malicious traffic out of your network. So, when firewall rules change, whether they’re deleted or modified, it’s a cause for concern. A change to firewall rules could mean a malicious user has made it into your network and is attempting to apply firewall settings that allow other malicious traffic to enter the network more easily.
6. Failure to Load Group Policy
Remember, Group Policy is what defines access rights for users on your network. So, if it fails to load, user access rights will be out-of-sync with what they should be. This means unprivileged accounts could perform privileged actions, potentially giving hackers on unprivileged accounts more power than the account would normally have.
7. New Software Installation
One of the more damaging things a malicious user can do to your network is install malware, the effects of which can be highly inconvenient to extremely devastating—especially in the case of ransomware. Monitoring the installation of software on your network will give you visibility into what’s being installed on your network, so you can determine whether the installation is part of normal business operations or if it’s a cause for concern.
8. New Device Attachment
A new device on your network is generally part of onboarding procedures for a new employee or addition of approved new technology. But, if an unrecognized device is attached to your system, you’ll want to know about it as quickly as possible. Maintaining logs on these events can cue you in to whether the device is an expected part of business operations or something that should be investigated further.
In addition to obtaining these logs from your systems, it’s also imperative to review them regularly. Logs are records of information, and without review and interpretation of those records, they can’t help you maintain network security.
9. New Processes or Services Created
This event indicates whether a program was ran or if software was installed on one of your network’s systems. These are generally common business practices. However, if you begin to suspect malicious behavior on your network or systems, these logs will help indicate the nature and location of the behavior. When you set this up, be sure to enable command line auditing.
10. Powershell Logging
PowerShell is a Windows command environment that allows users to execute programs. In the past, Powershell didn’t have many logging capabilities. If an attacker executed commands from Powershell, system administrators were often left with few clues as to what had happened.
However, newer versions of PowerShell allow much more visibility into the command environment, producing logs that show script block logging, module logging, transcription logging, and more. Keeping logs of the activities within PowerShell can give you visibility into command activities performed by authorized users and threat agents alike.
11. User Login/Authentication Events
By monitoring user login/authentication events (successes and failures), you’ll be able to determine which users were active at specific times. This might not be imperative in daily business practices, but, in the event of a breach, being able to know which users were active is highly valuable.
While the 11 events identified here are the big puzzle pieces you should pay attention to, there are other, more subtle, events that can go unnoticed without an eye for detail.
LBMC can help you identify all the events that could cause trouble for your organization, whether it be a malfunction or a malicious user.
Contact us and learn more about how our Purple Team can provide you with the confidence that your logging and alerting is properly configured.
Content provided by LBMC professional, Bill Dean.