T o help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity.
By configuring commonly-used tools and policy settings that are already available in your Windows environment, you can start logging indicators of a threat. You can use this information to create detections based on the log activity, or you can use a platform that has pre-built detections and playbooks on how to respond and remediate.
By streaming your Microsoft Azure and Office 365 logs to Blumira’s platform, you can also detect suspicious and threat-like behavior and alert your team in real-time for automated and faster containment.
Finally, we’ve made several open-source tools available on GitHub for Windows administrators and IT/security professionals to use in their own environment to save you time and resources required to configure settings
properly for security logging and detection.
In addition to the default built-in logging that Windows Server offers, there are also additional configuration options and software that can be added to increase the visibility of your environment. In addition to enabling Windows Advanced Auditing, System Monitor (Sysmon) is one of the most commonly used add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity
Sysmon is part of the Sysinternals software package, now owned by Microsoft and enriches the standard Windows logs by producing some higher level monitoring of events such as proces creations, network connections and changes to the file system. It is EXTREMELY easy to install and deploy. Following three steps will turn on an incredible amount of logging.
sysmon –accepteula –i c:\windows\config.xml
There are several extremely helpful Windows Event IDs that Sysmon generates to help detect common threats in many different enterprises. A few examples of the more useful generated events for security purposes are listed below. A full list of Event IDs that Sysmon can generate are located on their download page.
If you need to access the Sysmon events locally as opposed to viewing them in a SIEM, you will find them in the event viewer under Applications and Services Logs > Microsoft > Windows > Sysmon.
Sysmon will not only show what processes are being run, it will also show when they are ended, as well as a lot of information about the executable or binary itself. It also provides hashes for all of the binaries that are run on the system and lists if they are signed or not, making it easy to see if malicious code is attempting to mimic legitimate programs such as PowerShell or other built-in Microsoft tools.
In this example, we can see where the Setup.exe has been run, by whom, as well as that it is reaching out to download additional content from a cloud provider. These events can be useful in detecting command and control traffic (which may indicate that attackers are sending commands that steal data, spread malware, etc.), as well as giving visibility into what applications are accessing certain internet resources.
One potential action an attacker or malicious user could take is to disable the Sysmon service if they have the privileges to do so.
Alerts on additions and modifications of certain registry locations can be beneficial for detecting malicious persistence on an endpoint. Many times entries are added to “Run” and “Run Once” on Windows so malware can resume its activities after a host is rebooted.
There are several benefits to logging DNS traffic, such as finding malicious remote access tools, security misconfigurations and command and control traffic.
Here we can see the popular Red Canary Atomic Red Team test for MITRE ATT&CK T1117 “Regsvr32” across several of the listed event IDs. Basically, regsvr32 can download and register DLLs (dynamiclink libraries) from URLs via the command line, something that is relatively easy to detect with Sysmon installed.
And when you tie them all together, you can create detections based on the malicious activity.
Learn more about how Blumira’s platform automatically detects and remediates security findings.
One of the most common configurations taken for granted is the built-in Microsoft Windows OS logging capabilities. Here’s a few modifications that can offer a deeper look into your Windows environment. While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be an advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.
Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain
configuration. They are broken up into both local and domain policies and can be applied to specific
accounts or containers in a certain order to see differing results. Controlling event logging settings
from within GPOs allows different settings to be applied to different groups of assets such as domain
controllers, servers and endpoints. *NOTE* All GPO changes should be thoroughly planned and tested
in any environment.
Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs.Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.
Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular audit settings.
Enable advanced auditing
Account Logon | |
---|---|
Credential Validation | Success and Failure |
Kerberos Authentication Service | No Auditing |
Kerberos Service Ticket Operations | No Auditing |
Other Account Logon Events | Success and Failure |
Account Management | |
---|---|
Application Group Management | Success and Failure |
Computer Account Management | Success and Failure |
Distribution Group Management | Success and Failure |
Other Account Management Events | Success and Failure |
Security Group Management | Success and Failure |
User Account Management | Success and Failure |
Detailed Tracking | |
---|---|
DPAPI Activity | No Auditing |
PNP (Plug and Play) | Success |
Process Creation | Success and Failure |
Process Termination | No Auditing |
RPC Events | Success and Failure |
Token Right Adjusted | Success |
DS Access | |
---|---|
Detailed Directory Service Replication | No Auditing |
Directory Service Access | No Auditing |
Directory Service Changes | Success and Failure |
Directory Service Replication | No Auditing |
Logon/Logof | |
---|---|
Account Lockout | Success |
Group Membership | Success |
IPsec Extended Mode | No Auditing |
IPsec Main Mode | No Auditing |
IPsec Quick Mode | No Auditing |
Logof | Success |
Logon | Success and Failure |
Network Policy Server | Success and Failure |
Other Logon/Logoff Events | Success and Failure |
Special Logon | Success and Failure |
User / Device Claims | No Auditing |
Object Access | |
---|---|
Application Generated | Success and Failure |
Central Access Policy Staging | No Auditing |
Certification Services | Success and Failure |
Detailed File Share | Success |
File Share | Success and Failure |
File System | Success |
Filtering Platform Connection | Success |
Filtering Platform Packet Drop | No Auditing |
Handle Manipulation | No Auditing |
Kernel Object | No Auditing |
Other Object Access Events | No Auditing |
Registry | Success |
Removable Storage | Success and Failure |
SAM | Success |
Policy Change | |
---|---|
Audit Policy Change | Success and Failure |
Authentication Policy Change | Success and Failure |
Authorization Policy Change | Success and Failure |
Filtering Platform Policy Change | Success |
MPSSVC Rule-Level Policy Change | No Auditing |
Other Policy Change Events | No Auditing |
Privilege Use | |
---|---|
Non Sensitive Privilege Use | No Auditing |
Other Privilege Use Events | No Auditing |
Sensitive Privilege Use | Success and Failure |
System | |
---|---|
IPsec Driver | Success |
Other System Events | Failure |
Security State Change | Success and Failure |
Security System Extension | Success and Failure |
System Integrity | Success and Failure |
Global Object | |
---|---|
File System | No Auditing |
Registry | No Auditing |
For advanced Microsoft command line and powershell module logging, make the following changes to group policy:
Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint
Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats
A pre-built set of group policy configurations for advanced Windows logging, in the form of a GPO (Group Policy Object) backup file you can download, free from Blumira. These are created by Blumira’s security team as our recommendations to help increase Windows log visibility for threat detection, and to help meet compliance auditing requirements.
A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained within a GPO – a GPO can represent policy settings in the file system and Active Directory.
Windows has limited logging capabilities enabled by default. Traditionally, this is a manual process that doesn’t get implemented by system administrators, resulting in many organizations overlooking these important configuration steps.
It provides organizations running Windows with a way to automate the configuration of a group policy object that provides verbose log visibility for threat detection and compliance.
We couldn’t find this group of policy settings anywhere, so we created it ourselves by modifying a baseline model from Microsoft and a few other sources. Other vendors give you all of the settings and it takes about a half hour for administrators to set up.
Instead of following a list and manually modifying 100 or so settings, it’s way easier to just import it from a backup. We wanted to make it easy and automated for customers to import the settings into your environment and start configuring logs today.
Flowmira is a set of customized NXLog configurations that can be used to generate data from Windows endpoints, used for greater visibility into host actions. We recommend using NXLog for Windows log collection.
NXLog is a multi-platform log shipping tool that Blumira recommends using to help easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs. In concept, NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.
You can download the community edition for free from NXLog. If you require WEF, you should obtain a license for the Commercial version of NXLog. If you’re a Blumira customer, you can utilize the Logstash Module to collect WEF logs instead of purchasing a NXLog Commercial license.
Windows logs are an invaluable source of security visibility. That said, time is a precious commodity. Spend that scarce resource somewhere other than designing a log forwarding configuration file with a proprietary syntax.
We couldn’t find this group of policy settings anywhere, so we created it ourselves by modifying a baseline model from Microsoft and a few other sources. Other vendors give you all of the settings and it takes about a half hour for administrators to set up.
Blumira is offering Flowmira to the public in order to help simplify Windows machine log collection for all organizations. These configurations can help you gain additional insight for better threat detection and response.
To support today’s remote workforce and the digital transformation of modern organizations, Microsoft’s cloud services and applications provide productivity, collaboration and infrastructure benefits. Cloud services help scale resources and increase business efficiency, but they also come with security blindspots, as many organizations must maintain both hybrid on-premises and cloud environments.
Microsoft Azure is a public cloud computing platform that can be used for different services like analytics, virtual computing, storage, networking and more. It provides solutions such as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS)
Detecting security events in Azure is key to identifying early indicators of attacker reconnaissance
(discovery), access attempts, lateral movement, malware or ransomware infection, data exfiltration and more.
These are a few examples of anomalous, suspicious and threat-like behavior and activity within Microsoft Azure that you should be able to quickly detect and alert on.
Microsoft Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Detecting any setting modifications or changes in one or more of your Azure Key Vaults can keep you informed of potentially malicious behavior. Blumira’s platform detects and provides playbooks to walk you through next steps and further investigation.
Powershell is a very powerful tool that can cause serious harm to an environment if access falls into the hands of an attacker. Blumira can detect when a user account successfully authenticates without using multi-factor authentication (MFA), using Microsoft PowerShell command line to your Azure infrastructure. Blumira provides advice on next steps – in this case, disabling authentication for any account, especially those with administrative access. If determined to be a risk, Blumira recommends triggering incident response procedures and procedures for containment.
Password spraying, an attacker method of attempting a few authentications against many users or many authentications against one user, is a way to avoid brute-force or lockout detections. By detecting password spraying in use with an Azure Active Directory PowerShell session, you can identify when an attacker is attempting to access your environment. Blumira detects this and provides guidance on response – block the source IPs immediately and consider resetting passwords for targeted users.
Learn more about how easy it is to integrate Blumira with Microsoft Azure Event Hub, which streams Azure security events and logs to Blumira’s service for automated threat detection and response.
Office 365 (now named Microsoft 365) features a line of cloud-based, online versions of Microsoft Word PowerPoint, Excel and OneNote. It enables productivity and collaboration services, and is used widely by organizations and enterprises. As a result, it is also often targeted by attackers for access to company files and data.
These are just a few examples of anomalous, suspicious and threat-like behavior and activity within Microsoft Office 365 that you should be able to quickly detect and alert on.
To protect against unauthorized access to your Office 365 server, you should be able to detect login attempts using password spraying. Password spraying, an attacker method of attempting a few authentications against many users or many authentications against one user, is a way to avoid bruteforce or lockout detections. Blumira detects this and provides guidance on response – block the source IPs immediately and consider resetting passwords for targeted users.
Another detection to protect against unauthorized access is based on geographical location. By detecting any user attempts to authenticate to your network outside of the U.S. (or any countries you don’t do business with or in), you can be alerted to a potential login risk. Blumira can detect and alert you to any anomalous logins from different countries, which can be remote users or a malicious attacker attempting to authenticate to the network with legitimate user credentials
Another potential risk is if you detect a user enabling email forwarding for another user, targeting an organization. Unless it’s known and approved, Blumira recommends immediately stopping email forwarding, as it is often the first step in attacks against Office 365 environments. It’s worth considering disabling all email forwarding to reduce potential information leakage, and only allowing access when needed.
Learn more about how easy it is to integrate Blumira with Microsoft Office 365 to stream security events and logs to Blumira’s service for automated threat detection and response.
Easy deployment & use for organizations and IT teams of any size
Identify and respond to cybersecurity threats – all in one easy-to-use platform. Blumira’s cloud SIEM automates security operations for faster threat defense, even without a security team.
Companies can’t afford SecOps & current teams may have limited security expertise.
With over 10k alerts a day, how can analysts parse, analyze and investigate every alert?
– Fine-tuning SIEMs to get real security value out of them is slow & manual.
Failed SIEM deployments can drag on for months and years. Blumira’s cloud-delivered platform is designed for easy deployment in hours for small IT and security teams.
Blumira’s automated threat detection and response platform comes with pre-built rules and tuning, sending only prioritized alerts to your team.
Staffing your own team isn’t always an option. Blumira lets you run lean – while having access to our security team’s expertise when you really need it
– Steve Gatton, VP of IT Network, Fechheimer
– Kevin Hayes,CISO, Merit Network
Easily integrate with applications and security tools across your environment, including cloud and on-prem. Blumira’s cloud-delivered service collects and parses security events, logs and alerts for visibility through a single pane of glass.
Blumira’s guided and actionable remediation playbooks enable anyone in IT to easily respond to and stop cybersecurity threats – even without security expertise. Our security analysts give you step-by-step response workflows built into Blumira’s platform.
By correlating log data with continuously updated threat intelligence feeds, Blumira’s platform detects known and suspected cybersecurity threats. It reduces the noise of false-positive alerts with automation and fine-tuning. With
Blumira, you can deploy honeypots with the click of a button to detect lateral movement and unauthorized access across your environment.
Quickly and easily gain access to the reports you need with Blumira’s intuitive reporting capabilities. Blumira guides you through the process to get access to the data and reporting that you need to help you investigate, report and meet compliance requirements such as PCI DSS, FFIEC, NIST 800- 53, HIPAA and other compliance frameworks.
When known cybersecurity threats are detected, Blumira’s automated remediation capabilities implement blocking rules to stop active cybersecurity threats without requiring manual intervention. This helps stop attackers early before they can access to critical systems.
It’s easy to integrate, centralize logs and realize security value in a matter of hours. Blumira takes care of log parsing to ease the burden on your team. We integrate with firewalls, endpoint protection, identity management providers, cloud infrastructure and applications, productivity applications and much more.
See how easy it is to protect your organization from cybersecurity threats with Blumira’s automated threat detection & response solution.