on Jan 27, 2017Looks like Windows 10 has introduced some new Security event ID's as well as modified the content on some existing messages with more info (4688).
This page seems to have the best breakdown of the new and modified events
In short these are the new ones:
4798/4799 - write operations only used to be audited, now read and query are audited along with write.
4826 - Boot Configuration Database
6416 - PNP events (this one might be interesting to watch around high value assets like DC's)
There are a number of modified events that now have more information in them.
Great resource from Windows IT Pro that summarizes the changes well.
As always, feedback is welcome.
Are you aware of these new EventID's ?
Are you leveraging them in any alerts or reports ?
What's new in Windows 10, versions 1507 and 1511 (Windows 10)
same thing except not github.
re references https://www.microsoft.com/en-us/download/details.aspx?id=52630
grep for Minimum OS Version: Windows Server 2016, Windows 10.
you guys sure re MS keeping everyone up to date on new events and changes. 1511 isn't exactly new anymore...
is this a sneaky way of telling us everything above is correctly parsed (especially 4624 /4688 changes) by winevent_nic and magical ESA and RE rules will rain down on us ?
some specific questions
a) 4798/4799 look curious. is the right interpretation potentially audit privileged or honey token groups read on endpoint via forwarded logs?
b) re Audit Group Membership (Windows 10) ? is winevent_nic parser correctly parsing reference.id="4627" [provided people actually configured auditing using a 2016 server ....]
c) >Advanced Audit Policy Configuration\Object Access\Audit Kernel Object. This can help identify attacks that steal credentials from the memory of a process.
4656,4663? volume/FPs? e.g. trying to open lsass memory via mimikatz or procdumping it, what about lsaiso if Credential guard is configured )
d) parsing PS5 script block logging content (specifically, the message content into a meta key...thought those are huge)? PowerShell ♥ the Blue Team | Windows PowerShell Blog [and/or AMSI integration in Netwitness endpoint]
» Detecting Offensive PowerShell Attack Tools » Active Directory Security
want to look for indicators of obfuscation for PS via scriptblock logging event ids http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/
http://www.danielbohannon.com/
that seems to require parsing message field correctly. and tips on frequency counting (ESA advanced EPL?)
e) ps last time we looked not all applocker log ids were parsed correctly either. [script but not exe, can't remember about installer/packagedapps]. not sure about the meta either
f) or favourite request is ' extra values out of dc/endpoint and server logs trying to detect some of the techniques sean posts https://adsecurity.org/ ' (occasionally Sean and CO or BDelpy post some event tips , other times it seems more like 'track your ticket use'/semi account uba)' - use case - GMs came back from MS ATA demo,how do we do that? [specifically - how do you track common persistence abuse Sean describes, and how would you track ticket misuse (silver or golden)
ps pingback - ESA - Intrusion Detection with Windows Event Logs