+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Event Log service has shut down.
+
+It also generates during normal system shutdown.
+
+This event doesn’t generate during emergency system reset.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Security audit log was cleared.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full and new event log file was created.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates when event logging service encountered an error while processing an incoming event.
+
+It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
+
+For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
+
+
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
+
+It typically generates during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source.
+
+At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
+
+A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
+
+You typically see these events during operating system startup or user logon and authentication actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx).
+
+In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx).
+
+Password Filters are DLLs that are loaded or called when passwords are set or changed.
+
+Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event generates every time system time was changed.
+
+This event is always logged regardless of the "Audit Security State Change" sub-category setting.
+
+You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
+
+Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/en-us/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
+
+- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+**Detailed Authentication Information:**
+
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+
+ - **NTLM** – NTLM-family Authentication
+
+ - **Kerberos** – Kerberos authentication.
+
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+
+- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“New Logon\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“New Logon\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“New Logon\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. + +- If “**Restricted Admin**” mode must be used for logons by certain accounts, use this event to monitor logons by “**New Logon\\Security ID**” in relation to “**Logon Type**”=10 and “**Restricted Admin Mode**”=”Yes”. If “**Restricted Admin Mode**”=”No” for these accounts, trigger an alert. + +- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with “**Elevated Token**”=”Yes”. + +- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with “**Virtual Account**”=”Yes”. + +- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event. + +- If your organization restricts logons in the following ways, you can use this event to monitor accordingly: + + - If the user account **“New Logon\\Security ID”** should never be used to log on from the specific **Computer:**. + + - If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**. + + - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses. + + - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**. + + - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM. + + - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length. + +- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**. + +- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list. + diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md new file mode 100644 index 0000000000..882c481177 --- /dev/null +++ b/windows/keep-secure/event-4625.md @@ -0,0 +1,289 @@ +--- +title: 4625(F) An account failed to log on. (Windows 10) +description: Describes security event 4625(F) An account failed to log on. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4625(F): An account failed to log on. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
+
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
+
+- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+**Detailed Authentication Information:**
+
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+
+ - **NTLM** – NTLM-family Authentication
+
+ - **Kerberos** – Kerberos authentication.
+
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+
+- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | + diff --git a/windows/keep-secure/event-4626.md b/windows/keep-secure/event-4626.md new file mode 100644 index 0000000000..7ed1c4a5e0 --- /dev/null +++ b/windows/keep-secure/event-4626.md @@ -0,0 +1,181 @@ +--- +title: 4626(S) User/Device claims information. (Windows 10) +description: Describes security event 4626(S) User/Device claims information. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4626(S): User/Device claims information. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User/Device Claims](audit-user-device-claims.md)
+
+***Event Description:***
+
+This event generates for new account logons and contains user/device claims which were associated with a new logon session.
+
+This event does not generate if the user/device doesn’t have claims.
+
+For computer account logons you will also see device claims listed in the “**User Claims**” field.
+
+You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
+
+This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Group Membership](audit-group-membership.md)
+
+***Event Description:***
+
+This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
+
+You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
+
+Multiple events are generated if the group membership information cannot fit in a single security audit event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event shows that logon session was terminated and no longer exists.
+
+The main difference between “[4647](event-4647.md): User initiated logoff.” and 4647 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
+
+The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
+
+This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
+
+It is also a routine event which periodically occurs during normal operating system activity.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+## Security Monitoring Recommendations
+
+For 4648(S): A logon was attempted using explicit credentials.
+
+The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the whitelist. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. | + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event. + +- If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event. + +- Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses. + diff --git a/windows/keep-secure/event-4649.md b/windows/keep-secure/event-4649.md new file mode 100644 index 0000000000..d360401748 --- /dev/null +++ b/windows/keep-secure/event-4649.md @@ -0,0 +1,79 @@ +--- +title: 4649(S) A replay attack was detected. (Windows 10) +description: Describes security event 4649(S) A replay attack was detected. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4649(S): A replay attack was detected. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client. + +Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB\_AP\_ERR\_REPEAT. You can read more about this in [RFC-1510](http://www.ietf.org/rfc/rfc1510.txt). One potential cause for this is a misconfigured network device between the client and server that could send the same packet(s) repeatedly. + +There is no example of this event in this document. + +***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) + +***Event Schema:*** + +*A replay attack was detected.* + +*Subject:* + +> *Security ID:%1* +> +> *Account Name:%2* +> +> *Account Domain:%3* +> +> *Logon ID:%4* + +*Credentials Which Were Replayed:* + +> *Account Name:%5* +> +> *Account Domain:%6* + +*Process Information:* + +> *Process ID:%12* +> +> *Process Name:%13* + +*Network Information:* + +> *Workstation Name:%10* + +*Detailed Authentication Information:* + +> *Request Type:%7* +> +> *Logon Process:%8* +> +> *Authentication Package:%9* +> +> *Transited Services:%11* + +*This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration."* + +***Required Server Roles:*** Active Directory domain controller. + +***Minimum OS Version:*** Windows Server 2008. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +For 4649(S): A replay attack was detected. + +- This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated. + diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md new file mode 100644 index 0000000000..fbe4f6276e --- /dev/null +++ b/windows/keep-secure/event-4656.md @@ -0,0 +1,277 @@ +--- +title: 4656(S, F) A handle to an object was requested. (Windows 10) +description: Describes security event 4656(S, F) A handle to an object was requested. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4656(S, F): A handle to an object was requested. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+If access was declined, a Failure event is generated.
+
+This event generates only if the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights.
+
+This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+***Event XML***:
+```
+- 
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
+
+| Access | Hexadecimal Value,Schema Value | Description | +|---------------------------------------------------------------------------------------|-------------------------------------|----------------| +| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +> Table 14. File System objects access rights. + +- **Access Reasons** \[Type = UnicodeString\] \[Version 1\]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply. + +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table. + + + +- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: + +| Privilege Name | User Right Group Policy Name | Description | +|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. + +## Security Monitoring Recommendations + +For 4656(S, F): A handle to an object was requested. + +For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level. + +For other types of objects, the following recommendations apply. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- If **Object Name** is a sensitive or critical object for which you need to monitor any access attempt, monitor all [4656](event-4656.md) events. + +- If **Object Name** is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4656](event-4656.md) events with the corresponding **Access Request Information\\Accesses** values. + +- If you need to monitor files and folders with specific Resource Attribute values, monitor for all [4656](event-4656.md) events with specific **Resource Attributes** field values. + + For file system objects, we recommend that you monitor these **Access Request Information\\Accesses** rights (especially for Failure events): + + - WriteData (or AddFile) + + - AppendData (or AddSubdirectory or CreatePipeInstance) + + - WriteEA + + - DeleteChild + + - WriteAttributes + + - DELETE + + - WRITE\_DAC + + - WRITE\_OWNER + diff --git a/windows/keep-secure/event-4657.md b/windows/keep-secure/event-4657.md new file mode 100644 index 0000000000..f4795e4e3e --- /dev/null +++ b/windows/keep-secure/event-4657.md @@ -0,0 +1,179 @@ +--- +title: 4657(S) A registry value was modified. (Windows 10) +description: Describes security event 4657(S) A registry value was modified. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4657(S): A registry value was modified. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
+
+This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Change Information:**
+
+- **Old Value Type** \[Type = UnicodeString\]**:** old type of changed registry key value. Registry key value types:
+
+| Value Type | Description |
+|-----------------|-------------------------|
+| REG\_SZ | String |
+| REG\_BINARY | Binary |
+| REG\_DWORD | DWORD (32-bit) Value |
+| REG\_QWORD | QWORD (64-bit) Value |
+| REG\_MULTI\_SZ | Multi-String Value |
+| REG\_EXPAND\_SZ | Expandable String Value |
+
+- **Old Value** \[Type = UnicodeString\]: old value for changed registry key value.
+
+- **New Value Type** \[Type = UnicodeString\]**:** new type of changed registry key value. See table above for possible values.
+
+- **New Value** \[Type = UnicodeString\]: new value for changed registry key value.
+
+## Security Monitoring Recommendations
+
+For 4657(S): A registry value was modified.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
+
+- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
+
diff --git a/windows/keep-secure/event-4658.md b/windows/keep-secure/event-4658.md
new file mode 100644
index 0000000000..41f3978e7d
--- /dev/null
+++ b/windows/keep-secure/event-4658.md
@@ -0,0 +1,132 @@
+---
+title: 4658(S) The handle to an object was closed. (Windows 10)
+description: Describes security event 4658(S) The handle to an object was closed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4658(S): The handle to an object was closed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4658(S): The handle to an object was closed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
+
+- This event can be used to track all actions or operations related to a specific object handle.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4660.md b/windows/keep-secure/event-4660.md
new file mode 100644
index 0000000000..8621c75ec2
--- /dev/null
+++ b/windows/keep-secure/event-4660.md
@@ -0,0 +1,133 @@
+---
+title: 4660(S) An object was deleted. (Windows 10)
+description: Describes security event 4660(S) An object was deleted.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4660(S): An object was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
+
+This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
+
+The advantage of this event is that it’s generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 4660(S): An object was deleted.
+
+- This event doesn’t contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
+
+- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
+
diff --git a/windows/keep-secure/event-4661.md b/windows/keep-secure/event-4661.md
new file mode 100644
index 0000000000..d57a37f333
--- /dev/null
+++ b/windows/keep-secure/event-4661.md
@@ -0,0 +1,220 @@
+---
+title: 4661(S, F) A handle to an object was requested. (Windows 10)
+description: Describes security event 4661(S, F) A handle to an object was requested.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4661(S, F): A handle to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
+
+***Event Description:***
+
+This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
+
+If access was declined, then Failure event is generated.
+
+This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML***: +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory. + +- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. + +## Security Monitoring Recommendations + +For 4661(S, F): A handle to an object was requested. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. + diff --git a/windows/keep-secure/event-4662.md b/windows/keep-secure/event-4662.md new file mode 100644 index 0000000000..2137b547fe --- /dev/null +++ b/windows/keep-secure/event-4662.md @@ -0,0 +1,248 @@ +--- +title: 4662(S, F) An operation was performed on an object. (Windows 10) +description: Describes security event 4662(S, F) An operation was performed on an object. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4662(S, F): An operation was performed on an object. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Directory Service Access](audit-directory-service-access.md)
+
+***Event Description:***
+
+This event generates every time when an operation was performed on an Active Directory object.
+
+This event generates only if appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL.
+
+If operation failed then Failure event will be generated.
+
+You will get one 4662 for each operation type which was performed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
The right to perform an operation controlled by an extended access right. | +| 0x10000 | DELETE | The right to delete the object.
DELETE also generated when object was moved. | +| 0x20000 | READ\_CONTROL | The right to read data from the security descriptor of the object, not including the data in the SACL. | +| 0x40000 | WRITE\_DAC | The right to modify the discretionary access-control list (DACL) in the object security descriptor. | +| 0x80000 | WRITE\_OWNER | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. | +| 0x100000 | SYNCHRONIZE | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. | +| 0x1000000 | ADS\_RIGHT\_ACCESS\_SYSTEM\_SECURITY | The right to get or set the SACL in the object security descriptor. | +| 0x80000000 | ADS\_RIGHT\_GENERIC\_READ | The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container. | +| 0x40000000 | ADS\_RIGHT\_GENERIC\_WRITE | The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object. | +| 0x20000000 | ADS\_RIGHT\_GENERIC\_EXECUTE | The right to read permissions on, and list the contents of, a container object. | +| 0x10000000 | ADS\_RIGHT\_GENERIC\_ALL | The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right. | + +> Table 9. Active Directory Access Codes and Rights. + +- **Properties** \[Type = UnicodeString\]: first part is the type of access that was used. Typically has the same value as **Accesses** field. + + Second part is a tree of **GUID** values of Active Directory classes or property sets, for which operation was performed. + +> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. + +To translate this GUID, use the following procedure: + +- Perform the following LDAP search using LDP.exe tool: + + - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX + + - Filter: (&(objectClass=\*)(schemaIDGUID=GUID)) + + - Perform the following operations with the GUID before using it in a search request: + + - We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2 + + - Take first 3 sections bf967a86-0de6-11d0. + + - For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011 + + - Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2 + + - Delete - : 867a96bfe60dd011a28500aa003049e2 + + - Divide bytes with backslashes: \\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2 + + - Filter example: (&(objectClass=\*)(schemaIDGUID=\\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2)) + + - Scope: Subtree + + - Attributes: schemaIDGUID + +
+
+Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
{b3f93023-9239-4f7c-b99c-6745d87adbc2}
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} | Computer
Private-Information property set
ms-PKI-RoamingTimeStamp
ms-PKI-DPAPIMasterKeys
ms-PKI-AccountCredentials | + +**Additional Information:** + +- **Parameter 1** \[Type = UnicodeString\]**:** there is no information about this field in this document. + +- **Parameter 2** \[Type = UnicodeString\]**:** there is no information about this field in this document. + +## Security Monitoring Recommendations + +For 4662(S, F): An operation was performed on an object. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class. + +- If you need to monitor operations attempts to specific Active Directory objects, monitor for **Object Name** field with specific object name. For example, we recommend that you monitor all operations attempts to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object. + +- Some access types are more important to monitor, for example: + + - Write Property + + - Control Access + + - DELETE + + - WRITE\_DAC + + - WRITE\_OWNER + + You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for **Accesses** field with specific access type. + +- If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID. + +- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations. + diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md new file mode 100644 index 0000000000..18fa7b3352 --- /dev/null +++ b/windows/keep-secure/event-4663.md @@ -0,0 +1,223 @@ +--- +title: 4663(S) An attempt was made to access an object. (Windows 10) +description: Describes security event 4663(S) An attempt was made to access an object. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4663(S): An attempt was made to access an object. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use.
+
+The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that accessed the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
+
+| Access | Hex Value,Schema Value | Description | +|----------------------------------------------------------------------------------------|-----------------------------|---------------------| +| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +> Table 15. File System objects access rights. + +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table. + +## Security Monitoring Recommendations + +For 4663(S): An attempt was made to access an object. + +For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level. + +For other types of objects, the following recommendations apply. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**. + +- If you have critical file system objects for which you need to monitor certain access attempts (for example, write actions), monitor this event for **Object Name** in relation to **Access Request Information\\Accesses**. + +- If you have file system objects with specific attributes, for which you need to monitor access attempts, monitor this event for **Resource Attributes**. + +- If **Object Name** is a sensitive or critical registry key for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4663](event-4663.md) events with the corresponding **Access Request Information\\Accesses**. + + + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- For file system objects, we recommend that you monitor for these **Access Request Information\\Accesses** rights: + + - WriteData (or AddFile) + + - AppendData (or AddSubdirectory or CreatePipeInstance) + + - WriteEA + + - DeleteChild + + - WriteAttributes + + - DELETE + + - WRITE\_DAC + + - WRITE\_OWNER + diff --git a/windows/keep-secure/event-4664.md b/windows/keep-secure/event-4664.md new file mode 100644 index 0000000000..4a4c04f599 --- /dev/null +++ b/windows/keep-secure/event-4664.md @@ -0,0 +1,109 @@ +--- +title: 4664(S) An attempt was made to create a hard link. (Windows 10) +description: Describes security event 4664(S) An attempt was made to create a hard link. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4664(S): An attempt was made to create a hard link. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit File System](audit-file-system.md)
+
+***Event Description:***
+
+This event generates when an NTFS hard link was successfully created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
+
+This event does not generate if the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed.
+
+Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Permissions Change:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
+
+- SeTcbPrivilege - Act as part of the operating system
+
+- SeBackupPrivilege - Back up files and directories
+
+- SeCreateTokenPrivilege - Create a token object
+
+- SeDebugPrivilege - Debug programs
+
+- SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
+
+- SeAuditPrivilege - Generate security audits
+
+- SeImpersonatePrivilege - Impersonate a client after authentication
+
+- SeLoadDriverPrivilege - Load and unload device drivers
+
+- SeSecurityPrivilege - Manage auditing and security log
+
+- SeSystemEnvironmentPrivilege - Modify firmware environment values
+
+- SeAssignPrimaryTokenPrivilege - Replace a process-level token
+
+- SeRestorePrivilege - Restore files and directories,
+
+- SeTakeOwnershipPrivilege - Take ownership of files or other objects
+
+You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | + +## Security Monitoring Recommendations + +For 4672(S): Special privileges assigned to new logon. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. + +- If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for example, SeDebugPrivilege), use this event to monitor for those “**Privileges**.” + + + +- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event. + diff --git a/windows/keep-secure/event-4673.md b/windows/keep-secure/event-4673.md new file mode 100644 index 0000000000..2816879567 --- /dev/null +++ b/windows/keep-secure/event-4673.md @@ -0,0 +1,196 @@ +--- +title: 4673(S, F) A privileged service was called. (Windows 10) +description: Describes security event 4673(S, F) A privileged service was called. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4673(S, F): A privileged service was called. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt was made to perform privileged system service operations.
+
+This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
+
+Failure event generates when service call attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Service Request Information**:
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** | +|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege:
**Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege:
**Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege:
**Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege:
**Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege:
**Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege:
**Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege:
**Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege:
**Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege:
**Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege:
**Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege:
**Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege:
**Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege:
**Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege:
**Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege:
**Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege:
**Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege:
**Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege:
**Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege:
**Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | **SeUndockPrivilege:
**Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | + +| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | +|-------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
**Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | **SeAuditPrivilege:
**Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege:
**Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | **SeDebugPrivilege:
**Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | **SeImpersonatePrivilege:
**Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege:
**Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege:
**Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | **SeTcbPrivilege:
**Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| Audit Sensitive Privilege Use | **SeEnableDelegationPrivilege:
**Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | + +## Security Monitoring Recommendations + +For 4673(S, F): A privileged service was called. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. + +- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.” + +- If you need to monitor events related to specific Windows security services or functions (“**Service\\Service Name**”), for example **LsaRegisterLogonProcess()**, monitor this event for the corresponding “**Service\\Service Name**.” + + + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- For a specific “**Subject\\Security ID**,” if there is a defined list of allowed privileges, monitor for “**Privileges**” that it should not be able to use. + +- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” + +- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” + diff --git a/windows/keep-secure/event-4674.md b/windows/keep-secure/event-4674.md new file mode 100644 index 0000000000..3693ca894f --- /dev/null +++ b/windows/keep-secure/event-4674.md @@ -0,0 +1,224 @@ +--- +title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10) +description: Describes security event 4674(S, F) An operation was attempted on a privileged object. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4674(S, F): An operation was attempted on a privileged object. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
+
+This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
+
+Failure event generates when operation attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Requested Operation**:
+
+- **Desired Access** \[Type = UnicodeString\]: The desired access mask. This mask depends on **Object Server** and **Object Type** parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If **Desired Access** is not presented, then this parameter will have “**0**” value.
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** | +|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege:
**Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege:
**Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege:
**Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege:
**Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege:
**Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege:
**Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege:
**Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege:
**Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege:
**Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege:
**Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege:
**Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege:
**Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege:
**Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege:
**Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege:
**Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege:
**Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege:
**Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege:
**Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege:
**Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | **SeUndockPrivilege:
**Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | + +| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | +|-------------------------------|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
**Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | **SeAuditPrivilege:
**Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | **SeBackupPrivilege:
**Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege:
**Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | **SeDebugPrivilege:
**Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | **SeImpersonatePrivilege:
**Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege:
**Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | **SeRestorePrivilege:
**Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| Audit Sensitive Privilege Use | **SeSecurityPrivilege:
**Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | +| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege:
**Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | **SeTakeOwnershipPrivilege:
**Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | + +## Security Monitoring Recommendations + +For 4674(S, F): An operation was attempted on a privileged object. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. + + + +- If you need to monitor events related to specific Windows subsystems (“**Object Server**”), for example **LSA** or **Security Account Manager**, monitor this event for the corresponding “**Object Server**.” + +- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.” + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + + + +- If you know that specific “**Subject\\Security ID**” should only be able to use the privileges in a pre-defined list, monitor for events in which “**Subject\\Security ID**” used “**Privileges**” that are not on that list. + + + +- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” + +- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” + diff --git a/windows/keep-secure/event-4675.md b/windows/keep-secure/event-4675.md new file mode 100644 index 0000000000..de11244f51 --- /dev/null +++ b/windows/keep-secure/event-4675.md @@ -0,0 +1,61 @@ +--- +title: 4675(S) SIDs were filtered. (Windows 10) +description: Describes security event 4675(S) SIDs were filtered. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4675(S): SIDs were filtered. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +This event generates when SIDs were filtered for specific Active Directory trust. + +See more information about SID filtering here:
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a new process starts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
+
+- **Token Elevation Type** \[Type = UnicodeString\]**: **
+
+ - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
+
+ - **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
+
+ - **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
+
+- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values:
+
+| SID | RID | RID label | Meaning |
+|--------------|------------|----------------------------------------------|------------------------|
+| S-1-16-0 | 0x00000000 | SECURITY\_MANDATORY\_UNTRUSTED\_RID | Untrusted. |
+| S-1-16-4096 | 0x00001000 | SECURITY\_MANDATORY\_LOW\_RID | Low integrity. |
+| S-1-16-8192 | 0x00002000 | SECURITY\_MANDATORY\_MEDIUM\_RID | Medium integrity. |
+| S-1-16-8448 | 0x00002100 | SECURITY\_MANDATORY\_MEDIUM\_PLUS\_RID | Medium high integrity. |
+| S-1-16-12288 | 0X00003000 | SECURITY\_MANDATORY\_HIGH\_RID | High integrity. |
+| S-1-16-16384 | 0x00004000 | SECURITY\_MANDATORY\_SYSTEM\_RID | System integrity. |
+| S-1-16-20480 | 0x00005000 | SECURITY\_MANDATORY\_PROTECTED\_PROCESS\_RID | Protected process. |
+
+- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable “Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events” group policy to include command line in process creation events:
+
+ 
+
+ By default **Process Command Line** field is empty.
+
+## Security Monitoring Recommendations
+
+For 4688(S): A new process has been created.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that don’t comply with naming conventions. | + +- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value. + +- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + +- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.” + +- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. + +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** Typically this means that UAC is disabled for this account for some reason. + +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** This means that a user ran a program using administrative privileges. + +- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. + +- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event. + diff --git a/windows/keep-secure/event-4689.md b/windows/keep-secure/event-4689.md new file mode 100644 index 0000000000..9acfebcd83 --- /dev/null +++ b/windows/keep-secure/event-4689.md @@ -0,0 +1,119 @@ +--- +title: 4689(S) A process has exited. (Windows 10) +description: Describes security event 4689(S) A process has exited. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4689(S): A process has exited. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Process Termination](audit-process-termination.md)
+
+***Event Description:***
+
+This event generates every time a process has exited.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md)(S): A new process has been created” **New Process ID** on this computer.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the executable name of the exited/terminated process.
+
+- **Exit Status** \[Type = HexInt32\]**:** hexadecimal exit code of exited/terminated process. This exit code is unique for every application, check application documentation for more details. The exit code value for a process reflects the specific convention implemented by the application developer for that process.
+
+## Security Monitoring Recommendations
+
+For 4689(S): A process has exited.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a critical processes list for the computer, with the requirement that these processes must always run and not stop, you can monitor **Process Name** field in [4689](event-4689.md) events for these process names.
+
diff --git a/windows/keep-secure/event-4690.md b/windows/keep-secure/event-4690.md
new file mode 100644
index 0000000000..c96c508880
--- /dev/null
+++ b/windows/keep-secure/event-4690.md
@@ -0,0 +1,118 @@
+---
+title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
+description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4690(S): An attempt was made to duplicate a handle to an object.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Handle Manipulation](audit-handle-manipulation.md)
+
+***Event Description:***
+
+This event generates if an attempt was made to duplicate a handle to an object.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+**New Handle Information:**
+
+- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
+
+- **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+
+## Security Monitoring Recommendations
+
+For 4690(S): An attempt was made to duplicate a handle to an object.
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
+
+- This event can be used to track all actions or operations related to a specific object handle.
+
diff --git a/windows/keep-secure/event-4691.md b/windows/keep-secure/event-4691.md
new file mode 100644
index 0000000000..ed50802c98
--- /dev/null
+++ b/windows/keep-secure/event-4691.md
@@ -0,0 +1,135 @@
+---
+title: 4691(S) Indirect access to an object was requested. (Windows 10)
+description: Describes security event 4691(S) Indirect access to an object was requested.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4691(S): Indirect access to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event indicates that indirect access to an object was requested.
+
+These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+**Access Request Information:**
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use 
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
+
+Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+
+This event also generates every time a new DPAPI Master Key is generated, for example.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key backup operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key restore operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
+
+***IMPORTANT*:** this event is deprecated starting from Windows 7 and Windows 2008 R2.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]: full path and the name of the executable for the process which ran the new process with new security token.
+
+**Target Process:**
+
+- **Target Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Target Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
+
+**New Token Information:**
+
+- **Security ID** \[Type = SID\]**:** SID of account through which the security token will be assigned to the new process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account through which the security token will be assigned to the new process.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 4696(S): A primary token was assigned to process.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Subject\\Security ID”** or **“New Token Information\\Security ID”** for names that don’t comply with naming conventions. | + +- If you have a pre-defined “**Process Name**” or “**Target Process Name**” for the process reported in this event, monitor all events with “**Process Name**” or “**Target Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” or “**Target Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**” or “**Target Process Name**”. + +- It can be uncommon if process runs using local account. + diff --git a/windows/keep-secure/event-4697.md b/windows/keep-secure/event-4697.md new file mode 100644 index 0000000000..b5bd6dc109 --- /dev/null +++ b/windows/keep-secure/event-4697.md @@ -0,0 +1,156 @@ +--- +title: 4697(S) A service was installed in the system. (Windows 10) +description: Describes security event 4697(S) A service was installed in the system. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4697(S): A service was installed in the system. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates when new service was installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Service File Name** \[Type = UnicodeString\]: This is the fully rooted path to the file that the Service Control Manager will execute to start the service. If command-line parameters are specified as part of the image path, those are logged.
+
+ Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
+
+- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/en-us/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
+
+| Value | Service Type | Description |
+|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | Kernel Driver | A Kernel device driver such as a hard disk or other low-level hardware device driver. |
+| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
+| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
+| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.(see:
(see:
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a new scheduled task is created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx).”
+
+## Security Monitoring Recommendations
+
+For 4698(S): A scheduled task was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
+
+- Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md
new file mode 100644
index 0000000000..f5e298828f
--- /dev/null
+++ b/windows/keep-secure/event-4699.md
@@ -0,0 +1,110 @@
+---
+title: 4699(S) A scheduled task was deleted. (Windows 10)
+description: Describes security event 4699(S) A scheduled task was deleted.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4699(S): A scheduled task was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task was deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the deleted task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4699(S): A scheduled task was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task deletion events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. However, this event does not often happen.
+
+- Monitor for deleted tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. Deletion of such tasks can be a sign of malicious activity.
+
+- If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4700.md b/windows/keep-secure/event-4700.md
new file mode 100644
index 0000000000..f0af1f518a
--- /dev/null
+++ b/windows/keep-secure/event-4700.md
@@ -0,0 +1,106 @@
+---
+title: 4700(S) A scheduled task was enabled. (Windows 10)
+description: Describes security event 4700(S) A scheduled task was enabled.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4700(S): A scheduled task was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the enabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4700(S): A scheduled task was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4701.md b/windows/keep-secure/event-4701.md
new file mode 100644
index 0000000000..fcecfb76bd
--- /dev/null
+++ b/windows/keep-secure/event-4701.md
@@ -0,0 +1,106 @@
+---
+title: 4701(S) A scheduled task was disabled. (Windows 10)
+description: Describes security event 4701(S) A scheduled task was disabled.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4701(S): A scheduled task was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the disabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4701(S): A scheduled task was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4702.md b/windows/keep-secure/event-4702.md
new file mode 100644
index 0000000000..3c3e7535dc
--- /dev/null
+++ b/windows/keep-secure/event-4702.md
@@ -0,0 +1,108 @@
+---
+title: 4702(S) A scheduled task was updated. (Windows 10)
+description: Describes security event 4702(S) A scheduled task was updated.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4702(S): A scheduled task was updated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time scheduled task was updated/changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task New Content** \[Type = UnicodeString\]: the new [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) for the updated task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4702(S): A scheduled task was updated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the updated scheduled task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4703.md b/windows/keep-secure/event-4703.md
new file mode 100644
index 0000000000..e6ab98abc4
--- /dev/null
+++ b/windows/keep-secure/event-4703.md
@@ -0,0 +1,194 @@
+---
+title: 4703(S) A user right was adjusted. (Windows 10)
+description: Describes security event 4703(S) A user right was adjusted.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4703(S): A user right was adjusted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+Token privileges provide the ability to take certain system-level actions that you only need to do at particular moments. For example, anybody can restart a computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when you click **Shutdown**. You can check the current state of the user’s token privileges using the **whoami /priv** command:
+
+
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+
+
+- **Enabled Privileges** \[Type = UnicodeString\]**:** the list of enabled user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +**Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above. + +## Security Monitoring Recommendations + +For 4703(S): A user right was adjusted. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | +| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4704.md b/windows/keep-secure/event-4704.md new file mode 100644 index 0000000000..06708cb228 --- /dev/null +++ b/windows/keep-secure/event-4704.md @@ -0,0 +1,156 @@ +--- +title: 4704(S) A user right was assigned. (Windows 10) +description: Describes security event 4704(S) A user right was assigned. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4704(S): A user right was assigned. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was assigned to an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + + +## Security Monitoring Recommendations + +For 4704(S): A user right was assigned. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. | +| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the “**New Right\\User Right**” to your list of user rights, to see whether the right should be assigned to **“Target Account\\Account Name**.” Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, your list of restricted rights might say that only administrative accounts should have **SeAuditPrivilege**. As another example, your list might say that no accounts should have **SeTcbPrivilege** or **SeDebugPrivilege**. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4705.md b/windows/keep-secure/event-4705.md new file mode 100644 index 0000000000..475c72b108 --- /dev/null +++ b/windows/keep-secure/event-4705.md @@ -0,0 +1,155 @@ +--- +title: 4705(S) A user right was removed. (Windows 10) +description: Describes security event 4705(S) A user right was removed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4705(S): A user right was removed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was removed from an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +## Security Monitoring Recommendations + +For 4705(S): A user right was removed. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user rights policies, for example, a whitelist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. | +| **User rights that should be restricted**: You might have a list of user rights that you want to monitor. | Monitor this event and compare the **“Removed Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted (for example, SeTcbPrivilege), so that you can investigate further. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md new file mode 100644 index 0000000000..92a9152b46 --- /dev/null +++ b/windows/keep-secure/event-4706.md @@ -0,0 +1,149 @@ +--- +title: 4706(S) A new trust was created to a domain. (Windows 10) +description: Describes security event 4706(S) A new trust was created to a domain. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4706(S): A new trust was created to a domain. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a new trust was created to a domain.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | + +- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: + + - Enabled + + - Disabled + +## Security Monitoring Recommendations + +For 4706(S): A new trust was created to a domain. + +- Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4707.md b/windows/keep-secure/event-4707.md new file mode 100644 index 0000000000..7698e07d9f --- /dev/null +++ b/windows/keep-secure/event-4707.md @@ -0,0 +1,104 @@ +--- +title: 4707(S) A trust to a domain was removed. (Windows 10) +description: Describes security event 4707(S) A trust to a domain was removed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4707(S): A trust to a domain was removed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a domain trust was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
To convert the **KerProxy** to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000. | +| KerMaxR | 1. Maximum lifetime for user ticket renewal.
To convert the **KerProxy** to days you need to:
Convert the value to decimal value.
Divide value by 864000000000. | +| KerMaxT | 1. Maximum lifetime for user ticket.
To convert the **KerMaxT** to hours you need to:
Convert the value to decimal value.
Divide value by 36000000000. | +| KerMinT | 1. Maximum lifetime for service ticket.
To convert the **KerMinT** to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000. | +| KerOpts | - Enforce user logon restrictions:
0x80 – Enabled
0x0 - Disabled | + +This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management console: + +
+
+## Security Monitoring Recommendations
+
+For 4713(S): Kerberos policy was changed.
+
+- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4714.md b/windows/keep-secure/event-4714.md
new file mode 100644
index 0000000000..c113a6acf4
--- /dev/null
+++ b/windows/keep-secure/event-4714.md
@@ -0,0 +1,73 @@
+---
+title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
+description: Describes security event 4714(S) Encrypted data recovery policy was changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4714(S): Encrypted data recovery policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/en-us/library/cc700811.aspx)) has changed.
+
+This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/en-us/library/cc778208(v=ws.10).aspx) was changed for the computer or device.
+
+In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/en-us/library/cc232284.aspx) registry value is changed during a Group Policy update.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local audit policy security descriptor changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trust was modified.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | + +- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: + + - Enabled + + - Disabled + + If this attribute was not changed, then it will have “**-**“ value or its old value. + +## Security Monitoring Recommendations + +For 4716(S): Trusted domain information was modified. + +- Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4717.md b/windows/keep-secure/event-4717.md new file mode 100644 index 0000000000..a6fc571002 --- /dev/null +++ b/windows/keep-secure/event-4717.md @@ -0,0 +1,130 @@ +--- +title: 4717(S) System security access was granted to an account. (Windows 10) +description: Describes security event 4717(S) System security access was granted to an account. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4717(S): System security access was granted to an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account.
+
+You will see unique event for every user if logon user rights were granted to multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. | +| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**). | Monitor this event and compare the **“Access Right”** to your list of restricted rights. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4718.md b/windows/keep-secure/event-4718.md new file mode 100644 index 0000000000..a3dce890af --- /dev/null +++ b/windows/keep-secure/event-4718.md @@ -0,0 +1,130 @@ +--- +title: 4718(S) System security access was removed from an account. (Windows 10) +description: Describes security event 4718(S) System security access was removed from an account. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4718(S): System security access was removed from an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account.
+
+You will see unique event for every user if logon user rights were removed for multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.
As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. | +| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**).
**“Deny” rights that should not be removed**: Your organization might use “Deny” rights that should not be removed, for example, SeDenyRemoteInteractiveLogonRight. | - Monitor this event and compare the **“Access Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted, so that you can investigate further.
You can also monitor this event to discover the removal of “Deny” rights. When these rights are removed, it could be an approved action, done by mistake, or part of malicious activity. These rights include:
SeDenyNetworkLogonRight:
SeDenyBatchLogonRight
SeDenyServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4719.md b/windows/keep-secure/event-4719.md new file mode 100644 index 0000000000..58d6ee111c --- /dev/null +++ b/windows/keep-secure/event-4719.md @@ -0,0 +1,163 @@ +--- +title: 4719(S) System audit policy was changed. (Windows 10) +description: Describes security event 4719(S) System audit policy was changed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4719(S): System audit policy was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the computer's audit policy changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Changes:** changes which were made for **“Subcategory”**. Possible values:
+
+ - Success removed
+
+ - Failure removed
+
+ - Success added
+
+ - Failure added
+
+ It can be also a combination of any of the items above, separated by coma.
+
+## Security Monitoring Recommendations
+
+For 4719(S): System audit policy was changed.
+
+- Monitor for all events of this type, especially on high value assets or computers, because any change in local audit policy should be planned. If this action was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md
new file mode 100644
index 0000000000..7ef1a7b270
--- /dev/null
+++ b/windows/keep-secure/event-4720.md
@@ -0,0 +1,288 @@
+---
+title: 4720(S) A user account was created. (Windows 10)
+description: Describes security event 4720(S) A user account was created.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4720(S): A user account was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new user object is created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Account Enabled | +| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. | +| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled | +| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. | +| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled | +| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. | +| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled | +| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | +| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled | +| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | +| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled | +| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled | +| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled | +| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled | +| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled | +| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled | +| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled | +| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled | +| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled | +| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. | +| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled | +| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | + +For new, manually created, domain or local user accounts typical flags are: + +- Account Disabled + +- 'Password Not Required' - Enabled + +- 'Normal Account' – Enabled + + After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags: + +- 'Password Not Required' – Disabled + +- Account Enabled + + + +- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”. + +- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new user object. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will typically see “**<value not set>**” value for new manually created user accounts in event 4720. For new local accounts this field is not applicable and typically has value “**All**”. + +**Additional Information:** + +- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”. + +## Security Monitoring Recommendations + +For 4720(S): A user account was created. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Some organizations monitor every [4720](event-4720.md) event. + +- Consider whether to track the following fields and values: + +| **Field and value to track** | **Reason to track** | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **SAM Account Name** is empty or - | This field must contain the user account name. If it is empty or **-**, it might indicate an anomaly. | +| **User Principal Name** is empty or - | Typically this field should not be empty for new user accounts. If it is empty or **-**, it might indicate an anomaly. | +| **Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not - | Typically these fields are **-** for new user accounts. Other values might indicate an anomaly and should be monitored.
For local accounts these fields should display **<value not set>**. | +| **Password Last Set** is **<never>** | This typically means this is a manually created user account, which you might need to monitor. | +| **Password Last Set** is a time in the future | This might indicate an anomaly. | +| **Account Expires** is not **<never>** | Typically this field is **<never>** for new user accounts. Other values might indicate an anomaly and should be monitored. | +| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | +| **Allowed To Delegate To** is not - | Typically this field is **-** for new user accounts. Other values might indicate an anomaly and should be monitored. | +| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new user accounts. Other values might indicate an anomaly and should be monitored. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | +| **Logon Hours** value other than **<value not set>** or** “All”** | This should always be **<value not set>** for new domain user accounts, and **“All”** for new local user accounts. | + +- Consider whether to track the following user account control flags: + +| **User account control flag to track** | **Information about the flag** | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Normal Account'** – Disabled | Should not be disabled for user accounts. | +| **'Encrypted Text Password Allowed'** – Enabled
**'Smartcard Required'** – Enabled
**'Not Delegated'** – Enabled
**'Use DES Key Only'** – Enabled
**'Don't Require Preauth'** – Enabled
**'Trusted To Authenticate For Delegation'** – Enabled | By default, these flags should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. | +| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts. | +| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. | +| **'Trusted For Delegation'** – Enabled | By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. It is enabled by default only for new domain controllers. | + diff --git a/windows/keep-secure/event-4722.md b/windows/keep-secure/event-4722.md new file mode 100644 index 0000000000..aaf7fa9ca4 --- /dev/null +++ b/windows/keep-secure/event-4722.md @@ -0,0 +1,123 @@ +--- +title: 4722(S) A user account was enabled. (Windows 10) +description: Describes security event 4722(S) A user account was enabled. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4722(S): A user account was enabled. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is enabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user attempts to change his or her password.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if new password fails to meet the password policy.
+
+For local accounts, a Failure event generates if new password fails to meet the password policy or old password is wrong.
+
+For domain accounts if old password was wrong, then “[4771](event-4771.md): Kerberos pre-authentication failed” or “[4776](event-4776.md): The computer attempted to validate the credentials for an account” will be generated on domain controller if specific subcategories were enabled on it.
+
+Typically you will see 4723 events with the same **Subject\\Security ID** and **Target Account\\Security ID** fields, which is normal behavior.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time an account attempted to reset the password for another account.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if the new password fails to meet the password policy.
+
+A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.
+
+This event also generates if a computer account reset procedure was performed.
+
+For local accounts, a Failure event generates if the new password fails to meet the local password policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is disabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object was deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-enabled (security) local group was created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every added member you will get separate 4732 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes).
Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | +| **Mismatch between type of account (user or computer) and the group it was added to**: You might want to monitor to ensure that a computer account was not added to a group intended for users, or a user account was not added to a group intended for computers. | Monitor the type of account added to the group to see if it matches what the group is intended for. | + diff --git a/windows/keep-secure/event-4733.md b/windows/keep-secure/event-4733.md new file mode 100644 index 0000000000..5b4c8ee111 --- /dev/null +++ b/windows/keep-secure/event-4733.md @@ -0,0 +1,164 @@ +--- +title: 4733(S) A member was removed from a security-enabled local group. (Windows 10) +description: Describes security event 4733(S) A member was removed from a security-enabled local group. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4733(S): A member was removed from a security-enabled local group. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every removed member you will get separate 4733 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4733 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes).
Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups. | +| **Local or domain security groups with required members**: You might need to ensure that for certain local or domain security groups, particular members are never removed. | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4734.md b/windows/keep-secure/event-4734.md new file mode 100644 index 0000000000..5ee0ad8db7 --- /dev/null +++ b/windows/keep-secure/event-4734.md @@ -0,0 +1,126 @@ +--- +title: 4734(S) A security-enabled local group was deleted. (Windows 10) +description: Describes security event 4734(S) A security-enabled local group was deleted. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4734(S): A security-enabled local group was deleted. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-enabled (security) local group is deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a security-enabled (security) local group is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4735 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For each change, a separate 4738 event will be generated.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+
+Some changes do not invoke a 4738 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
**User Principal Name**
**Home Directory**
**Home Drive**
**Script Path**
**Profile Path**
**User Workstations**
**Password Last Set**
**Account Expires**
**Primary Group ID
Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. | +| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | +| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | + +- Consider whether to track the following user account control flags: + +| **User account control flag to track** | **Information about the flag** | +|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Normal Account'** – Disabled | Should not be disabled for user accounts. | +| **'Password Not Required'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. | +| **'Encrypted Text Password Allowed'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. | +| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts. | +| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. | +| **'Smartcard Required'** – Enabled | Should be monitored for critical accounts. | +| **'Password Not Required'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Encrypted Text Password Allowed'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Don't Expire Password'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Smartcard Required'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Trusted For Delegation'** – Enabled | Means that Kerberos Constraint or Unconstraint delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted For Delegation'** – Disabled | Means that Kerberos Constraint or Unconstraint delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Trusted To Authenticate For Delegation'** – Enabled | Means that Protocol Transition delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was checked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Not Delegated'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” Means that **Account is sensitive and cannot be delegated** was unchecked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Use DES Key Only'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account’s Kerberos authentication. | +| **'Don't Require Preauth'** – Enabled | Should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. | +| **'Use DES Key Only'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Don't Require Preauth'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | + diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md new file mode 100644 index 0000000000..03f4def1f9 --- /dev/null +++ b/windows/keep-secure/event-4739.md @@ -0,0 +1,226 @@ +--- +title: 4739(S) Domain Policy was changed. (Windows 10) +description: Describes security event 4739(S) Domain Policy was changed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4739(S): Domain Policy was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when one of the following changes was made to local computer security policy:
+
+- Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified.
+
+- Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified.
+
+- "Network security: Force logoff when logon hours expire" group policy setting was changed.
+
+- Domain functional level was changed or some other attributes changed (see details in event description).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. | +| 1 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Disabled.
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled. | +| 16 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled.
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. | +| 17 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled.
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled. | + +- **Min. Password Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Minimum password length” group policy. Numeric value. + +- **Password History Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value. + +- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](https://technet.microsoft.com/en-us/library/dd391926(v=ws.10).aspx) domain attribute was modified. Numeric value. + +- **Mixed Domain Mode** \[Type = UnicodeString\]: there is no information about this field in this document. + +- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](https://msdn.microsoft.com/en-us/library/cc223742.aspx) domain attribute was modified. Numeric value. Possible values: + +| Value | Identifier | Domain controller operating systems that are allowed in the domain | +|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
Windows Server 2003 operating system
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 Technical Preview operating system | +| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview | + +- **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document. + +**Additional Information:** + +- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: + +| Privilege Name | User Right Group Policy Name | Description | +|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +## Security Monitoring Recommendations + +For 4739(S): Domain Policy was changed. + +- Any settings changes to “**Account Lockout Policy**”, “**Password Policy**”, or “**Network security: Force logoff when logon hours expire**”, plus any **domain functional level and attributes** changes that are reported by this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4740.md b/windows/keep-secure/event-4740.md new file mode 100644 index 0000000000..813f534ba7 --- /dev/null +++ b/windows/keep-secure/event-4740.md @@ -0,0 +1,121 @@ +--- +title: 4740(S) A user account was locked out. (Windows 10) +description: Describes security event 4740(S) A user account was locked out. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4740(S): A user account was locked out. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is locked out.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new computer object is created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Account Enabled | +| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. | +| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled | +| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. | +| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled | +| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. | +| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled | +| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | +| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled | +| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | +| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled | +| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled | +| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled | +| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled | +| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled | +| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled | +| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled | +| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled | +| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled | +| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. | +| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled | +| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | + +> Table 7. User’s or Computer’s account UAC flags. + +- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. + +- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see **<value not set>** value for new created computer accounts in event 4741. + +- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“. + +- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation**:** + + HOST/Win81.contoso.local + + RestrictedKrbHost/Win81.contoso.local + + HOST/WIN81 + + RestrictedKrbHost/WIN81 + +**Additional Information:** + +- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: + +| Privilege Name | User Right Group Policy Name | Description | +|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Delegation** setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +> Table 8. User Privileges. + +## Security Monitoring Recommendations + +For 4741(S): A computer account was created. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If your information security monitoring policy requires you to monitor computer account creation, monitor this event. + +- Consider whether to track the following fields and values: + +| **Field and value to track** | **Reason to track** | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **SAM Account Name**: empty or - | This field must contain the computer account name. If it is empty or **-**, it might indicate an anomaly. | +| **Display Name** is not -
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**AllowedToDelegateTo** is not - | Typically these fields are **-** for new computer accounts. Other values might indicate an anomaly and should be monitored. | +| **Password Last Set** is **<never>** | This typically means this is a manually created computer account, which you might need to monitor. | +| **Account Expires** is not **<never>** | Typically this field is **<never>** for new computer accounts. Other values might indicate an anomaly and should be monitored. | +| **Primary Group ID** is any value other than 515. | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
If the **Primary Group ID** is 516 or 521, it is a new domain controller or RODC, and the event should be monitored.
If the value is not 516, 521, or 515, it is not a typical value and should be monitored. | +| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new computer accounts. Other values might indicate an anomaly and should be monitored. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | +| **Logon Hours** value other than **<value not set>** | This should always be **<value not set>** for new computer accounts. | + +- Consider whether to track the following account control flags: + +| **User account control flag to track** | **Information about the flag** | +|--------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Encrypted Text Password Allowed'** – Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Server Trust Account'** – Enabled | Should be enabled **only** for domain controllers. | +| **'Don't Expire Password'** – Enabled | Should not be enabled for new computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. | +| **'Smartcard Required'** – Enabled | Should not be enabled for new computer accounts. | +| **'Trusted For Delegation'** – Enabled | Should not be enabled for new member servers and workstations. It is enabled by default for new domain controllers. | +| **'Not Delegated'** – Enabled | Should not be enabled for new computer accounts. | +| **'Use DES Key Only'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Don't Require Preauth'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Trusted To Authenticate For Delegation'** – Enabled | Should not be enabled for new computer accounts by default. | + diff --git a/windows/keep-secure/event-4742.md b/windows/keep-secure/event-4742.md new file mode 100644 index 0000000000..43b86b8649 --- /dev/null +++ b/windows/keep-secure/event-4742.md @@ -0,0 +1,295 @@ +--- +title: 4742(S) A computer account was changed. (Windows 10) +description: Describes security event 4742(S) A computer account was changed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4742(S): A computer account was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is changed.
+
+This event generates only on domain controllers.
+
+You might see the same values for **Subject**\\**Security ID** and **Computer Account That Was Changed**\\**Security ID** in this event. This usually happens when you reboot a computer after adding it to the domain (the change takes effect after the reboot).
+
+For each change, a separate 4742 event will be generated.
+
+Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+
+***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**Account Expires** is not -
**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. | +| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. | +| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
Other values should be monitored. | +| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | + +- Consider whether to track the following account control flags: + +| **User account control flag to track** | **Information about the flag** | +|---------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Password Not Required'** – Enabled | Should not be set for computer accounts. Computer accounts typically require a password by default, except manually created computer objects. | +| **'Encrypted Text Password Allowed'** – Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Server Trust Account'** – Enabled | Should be enabled **only** for domain controllers. | +| **'Server Trust Account'** – Disabled | Should **not** be disabled for domain controllers. | +| **'Don't Expire Password'** – Enabled | Should not be enabled for computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. | +| **'Smartcard Required'** – Enabled | Should not be enabled for computer accounts. | +| **'Trusted For Delegation'** – Enabled | Means that Kerberos Constraint or Unconstraint delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted For Delegation'** – Disabled | Means that Kerberos Constraint or Unconstraint delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Trusted To Authenticate For Delegation'** – Enabled | Means that Protocol Transition delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was selected for the computer account. For computer accounts, this flag cannot be set using the graphical interface. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Use DES Key Only'** – Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Don't Require Preauth'** - Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | + diff --git a/windows/keep-secure/event-4743.md b/windows/keep-secure/event-4743.md new file mode 100644 index 0000000000..69365e69e6 --- /dev/null +++ b/windows/keep-secure/event-4743.md @@ -0,0 +1,118 @@ +--- +title: 4743(S) A computer account was deleted. (Windows 10) +description: Describes security event 4743(S) A computer account was deleted. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4743(S): A computer account was deleted. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-disabled (distribution) global group was created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is changed.
+
+This event generates only on domain controllers.
+
+Some changes do not invoke a 4750 event, for example, changes made using the Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4750 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every added member you will get separate 4751 event.
+
+You will typically see “[4750](event-4750.md): A security-disabled global group was changed.” event without any changes in it prior to 4751 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes). | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4752.md b/windows/keep-secure/event-4752.md new file mode 100644 index 0000000000..d4d9463173 --- /dev/null +++ b/windows/keep-secure/event-4752.md @@ -0,0 +1,152 @@ +--- +title: 4752(S) A member was removed from a security-disabled global group. (Windows 10) +description: Describes security event 4752(S) A member was removed from a security-disabled global group. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4752(S): A member was removed from a security-disabled global group. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from the security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every removed member you will get separate 4752 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes). | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups. | +| **Distribution groups with required members**: You might need to ensure that for certain distribution groups, particular members are never removed. | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4753.md b/windows/keep-secure/event-4753.md new file mode 100644 index 0000000000..4aeb373191 --- /dev/null +++ b/windows/keep-secure/event-4753.md @@ -0,0 +1,124 @@ +--- +title: 4753(S) A security-disabled global group was deleted. (Windows 10) +description: Describes security event 4753(S) A security-disabled global group was deleted. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4753(S): A security-disabled global group was deleted. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time group’s type is changed.
+
+This event generates for both security and distribution groups.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is unlocked.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
+
+This event generates only on domain controllers.
+
+If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
+
+This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | + +> Table 2. Kerberos ticket flags. + +> **Note** [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels. + +- **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event. + +| Code | Code Name | Description | Possible causes | +|------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x0 | KDC\_ERR\_NONE | No error | No errors were found. | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in KDC database has expired | No information. | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in KDC database has expired | No information. | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested Kerberos version number not supported | No information. | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesn’t exist. | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. | +| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.
It also can occur if there is a time difference between the client and the KDC. | +| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. | +| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction. | +| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.
The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list | +| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. | +| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Client’s credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | +| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | +| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.
There is an account mismatch during protocol transition. | +| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.
The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.
See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages.
This error also generated if use of UDP protocol is being attempted with User-to-User authentication. | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.
The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.
The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes have not propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | +| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. | +| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | +| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. | +| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. | + +> Table 3. TGT/TGS issue error codes. + +- **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT. + + + +## Table 4. Kerberos encryption types + +| Type | Type Name | Description | +|-----------------------------------------------------------------|-------------------------|-----------------------------------------------------------------------------------| +| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | + + +- **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request. + + +## Table 5. Kerberos Pre-Authentication types. + +| Type | Type Name | Description | +|------------------------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | - | Logon without Pre-Authentication. | +| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. | +| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | +| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. | +| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. | +| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. | +| - | | This type shows in Audit Failure events. | + +**Certificate Information:** + +- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate. + +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. + +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. + +## Security Monitoring Recommendations + +For 4768(S, F): A Kerberos authentication ticket (TGT) was requested. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the whitelist. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | + +- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. + +- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the whitelist, generate the alert. + +- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller. + +- All [4768](event-4768.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection. + +- Also consider monitoring the fields shown in the following table, to discover the issues listed: + +| **Field** | **Issue to discover** | +|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Certificate Issuer Name** | Certification authority name is not from your PKI infrastructure. | +| **Certificate Issuer Name** | Certification authority name is not authorized to issue smart card authentication certificates. | +| **Pre-Authentication Type** | Value is **0**, which means that pre-authentication was not used. All accounts should use Pre-Authentication, except accounts configured with “Do not require Kerberos preauthentication,” which is a security risk. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Ticket Encryption Type** | Value is **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types). | +| **Ticket Encryption Type** | Starting with Windows Vista and Windows Server 2008, monitor for values **other than 0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types). | +| **Result Code** | **0x6** (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts. | +| **Result Code** | **0x7** (Server not found in Kerberos database). This error can occur if the domain controller cannot find the server's name in Active Directory. | +| **Result Code** | **0x8** (Multiple principal entries in KDC database). This will help you to find duplicate SPNs faster. | +| **Result Code** | **0x9** (The client or server has a null key (master key)). This error can help you to identify problems with Kerberos authentication faster. | +| **Result Code** | **0xA** (Ticket (TGT) not eligible for postdating). Microsoft systems should not request postdated tickets. These events could help identify anomaly activity. | +| **Result Code** | **0xC** (Requested start time is later than end time), if you see, for example N events in last N minutes. This can be an indicator of an account compromise attempt, especially for highly critical accounts. | +| **Result Code** | **0xE** (KDC has no support for encryption type). In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. Monitor for these events because this should not happen in a standard Active Directory environment. | +| **Result Code** | **0xF** (KDC has no support for checksum type). Monitor for these events because this should not happen in a standard Active Directory environment. | +| **Result Code** | **0x12** (Client's credentials have been revoked), if you see, for example N events in last N minutes. This can be an indicator of anomaly activity or brute-force attack, especially for highly critical accounts. | +| **Result Code** | **0x1F** (Integrity check on decrypted field failed). The authenticator was encrypted with something other than the session key. The result is that the KDC cannot decrypt the TGT. The modification of the message could be the result of an attack or it could be because of network noise. | +| **Result Code** | **0x22** (The request is a replay). This error indicates that a specific authenticator showed up twice—the KDC has detected that this session ticket duplicates one that it has already received. It could be a sign of attack attempt. | +| **Result Code** | **0x29** (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment. | +| **Result Code** | **0x3C** (Generic error). This error can help you more quickly identify problems with Kerberos authentication. | +| **Result Code** | **0x3E** (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller. | +| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. | + diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md new file mode 100644 index 0000000000..20c430fa33 --- /dev/null +++ b/windows/keep-secure/event-4769.md @@ -0,0 +1,287 @@ +--- +title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10) +description: Describes security event 4769(S, F) A Kerberos service ticket was requested. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4769(S, F): A Kerberos service ticket was requested. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.
+
+This event generates only on domain controllers.
+
+If TGS issue fails then you will see Failure event with **Failure Code** field not equal to “**0x0**”.
+
+You will typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. +## Table 4. Kerberos encryption types | + +- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. + +| Type | Type Name | Description | +|--------------------------|-------------------------|-----------------------------------------------------------------------------------| +| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | + +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event: + +| Code | Code Name | Description | Possible causes | +|------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x0 | KDC\_ERR\_NONE | No error | No errors were found. | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in KDC database has expired | No information. | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in KDC database has expired | No information. | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested Kerberos version number not supported | No information. | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesn’t exist. | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. | +| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.
It also can occur if there is a time difference between the client and the KDC. | +| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. | +| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction. | +| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.
The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list | +| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. | +| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Client’s credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | +| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | +| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.
There is an account mismatch during protocol transition. | +| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.
The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.
See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages.
This error also generated if use of UDP protocol is being attempted with User-to-User authentication. | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.
The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.
The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes have not propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | +| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. | +| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | +| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. | +| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. | + +- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used. + +> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. + +## Security Monitoring Recommendations + +For 4769(S, F): A Kerberos service ticket was requested. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | + +- If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields. + +- You can track all [4769](event-4769.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. + +- If you know that **Account Name** should be able to request tickets (should be used) only from a known whitelist of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your whitelist of IP addresses, generate the alert. + +- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the whitelist. + +- All [4769](event-4769.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection. + +- Monitor for a **Ticket Encryption Type** of **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. + +- Starting with Windows Vista and Windows Server 2008, monitor for a **Ticket Encryption Type** other than **0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms. + +- If you have a list of important **Failure Codes**, monitor for these codes. + diff --git a/windows/keep-secure/event-4770.md b/windows/keep-secure/event-4770.md new file mode 100644 index 0000000000..5983d931d7 --- /dev/null +++ b/windows/keep-secure/event-4770.md @@ -0,0 +1,183 @@ +--- +title: 4770(S) A Kerberos service ticket was renewed. (Windows 10) +description: Describes security event 4770(S) A Kerberos service ticket was renewed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4770(S): A Kerberos service ticket was renewed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates for every Ticket Granting Service (TGS) ticket renewal.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | + +- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used in renewed TGS. + +| Type | Type Name | Description | +|--------------------------|-------------------------|-----------------------------------------------------------------------------------| +| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | + + +## Security Monitoring Recommendations + +For 4770(S): A Kerberos service ticket was renewed. + +- This event typically has informational only purpose. + diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md new file mode 100644 index 0000000000..ec327a9f1f --- /dev/null +++ b/windows/keep-secure/event-4771.md @@ -0,0 +1,226 @@ +--- +title: 4771(F) Kerberos pre-authentication failed. (Windows 10) +description: Describes security event 4771(F) Kerberos pre-authentication failed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4771(F): Kerberos pre-authentication failed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+
+This event generates only on domain controllers.
+
+This event is not generated if “Do not require Kerberos preauthentication” option is set for the account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | + +> Table 6. Kerberos ticket flags. + +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: + +| Code | Code Name | Description | Possible causes | +|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | + +- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request. + + +## Table 5. Kerberos Pre-Authentication types. + +| Type | Type Name | Description | +|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | - | Logon without Pre-Authentication. | +| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. | +| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | +| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. | +| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. | +| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. | +| - | | This type shows in Audit Failure events. | + +**Certificate Information:** + +- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. + +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. + +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. + +## Security Monitoring Recommendations + +For 4771(F): Kerberos pre-authentication failed. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the whitelist. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. + +- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the whitelist, generate the alert. + +- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller. + +- All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection. + +- Also monitor the fields shown in the following table, to discover the issues listed: + +| **Field** | **Issue to discover** | +|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Result Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. | +| **Result Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. | + diff --git a/windows/keep-secure/event-4772.md b/windows/keep-secure/event-4772.md new file mode 100644 index 0000000000..0bf72a2f75 --- /dev/null +++ b/windows/keep-secure/event-4772.md @@ -0,0 +1,21 @@ +--- +title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10) +description: Describes security event 4772(F) A Kerberos authentication ticket request failed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4772(F): A Kerberos authentication ticket request failed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead. + +***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) + diff --git a/windows/keep-secure/event-4773.md b/windows/keep-secure/event-4773.md new file mode 100644 index 0000000000..1f4a877348 --- /dev/null +++ b/windows/keep-secure/event-4773.md @@ -0,0 +1,21 @@ +--- +title: 4773(F) A Kerberos service ticket request failed. (Windows 10) +description: Describes security event 4773(F) A Kerberos service ticket request failed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4773(F): A Kerberos service ticket request failed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead. + +***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) + diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md new file mode 100644 index 0000000000..2cb4f23bd1 --- /dev/null +++ b/windows/keep-secure/event-4774.md @@ -0,0 +1,41 @@ +--- +title: 4774(S) An account was mapped for logon. (Windows 10) +description: Describes security event 4774(S) An account was mapped for logon. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4774(S): An account was mapped for logon. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +It appears that this event never occurs. + +***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) + +***Event Schema:*** + +*An account was mapped for logon.* + +*Authentication Package:%1* + +*Account UPN:%2* + +*Mapped Name:%3* + +***Required Server Roles:*** no information. + +***Minimum OS Version:*** no information. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +- There is no recommendation for this event in this document. + diff --git a/windows/keep-secure/event-4775.md b/windows/keep-secure/event-4775.md new file mode 100644 index 0000000000..56d51f81fa --- /dev/null +++ b/windows/keep-secure/event-4775.md @@ -0,0 +1,39 @@ +--- +title: 4775(F) An account could not be mapped for logon. (Windows 10) +description: Describes security event 4775(F) An account could not be mapped for logon. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4775(F): An account could not be mapped for logon. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +It appears that this event never occurs. + +***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) + +***Event Schema:*** + +*An account could not be mapped for logon.* + +*Authentication Package:%1* + +*Account Name:%2* + +***Required Server Roles:*** no information. + +***Minimum OS Version:*** no information. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +- There is no recommendation for this event in this document. + diff --git a/windows/keep-secure/event-4776.md b/windows/keep-secure/event-4776.md new file mode 100644 index 0000000000..4b1bd35fc0 --- /dev/null +++ b/windows/keep-secure/event-4776.md @@ -0,0 +1,148 @@ +--- +title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) +description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4776(S, F): The computer attempted to validate the credentials for an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
+***Event Description:***
+
+This event generates every time that a credential validation occurs using NTLM authentication.
+
+This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
+
+It shows successful and unsuccessful credential validation attempts.
+
+It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) is not presented in this event.
+
+If a credential validation attempt fails, you will see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
+
+The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
+
+For monitoring local account logon attempts, it is better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
+
+This event also generates when a workstation unlock event occurs.
+
+This event does *not* generate when a domain account logs on locally to a domain controller.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Some of the potential causes for this:
An invalid username and/or password was used
[LAN Manager Authentication Level](https://technet.microsoft.com/en-us/library/jj852207.aspx) mismatch between the source and target computers. | +| 0xC000006F | Account logon outside authorized hours. | +| 0xC0000070 | Account logon from unauthorized workstation. | +| 0xC0000071 | Account logon with expired password. | +| 0xC0000072 | Account logon to account disabled by administrator. | +| 0xC0000193 | Account logon with expired account. | +| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. | +| 0xC0000234 | Account logon with account locked. | +| 0xc0000371 | The local account store does not contain secret material for the specified account. | +| 0x0 | No errors. | + +> Table 1. Winlogon Error Codes. + +## Security Monitoring Recommendations + +For 4776(S, F): The computer attempted to validate the credentials for an account. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the whitelist. | +| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | + +- If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. + +- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. + +- If a local account should be used only locally (for example, network logon or terminal services logon is not allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values. + +- Consider tracking the following errors for the reasons listed: + +| **Error to track** | **What the error might indicate** | +|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| +| **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. | +| **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. | +| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. | +| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | +| **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. | +| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | +| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | + diff --git a/windows/keep-secure/event-4777.md b/windows/keep-secure/event-4777.md new file mode 100644 index 0000000000..db755e968c --- /dev/null +++ b/windows/keep-secure/event-4777.md @@ -0,0 +1,21 @@ +--- +title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10) +description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4777(F): The domain controller failed to validate the credentials for an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead. + +***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) + diff --git a/windows/keep-secure/event-4778.md b/windows/keep-secure/event-4778.md new file mode 100644 index 0000000000..2c47b9958b --- /dev/null +++ b/windows/keep-secure/event-4778.md @@ -0,0 +1,137 @@ +--- +title: 4778(S) A session was reconnected to a Window Station. (Windows 10) +description: Describes security event 4778(S) A session was reconnected to a Window Station. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4778(S): A session was reconnected to a Window Station. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: computer name from which the user was reconnected. Has “**Unknown”** value for console session.
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the user was reconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4778(S): A session was reconnected to a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console. + +- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring). + +- If a specific computer or device (**Client Name** or **Client Address**) should never connect to this computer (**Computer**), monitor for any event with that **Client Name** or **Client Address**. + +- Check that **Additional Information\\Client Address** is from internal IP addresses list. + diff --git a/windows/keep-secure/event-4779.md b/windows/keep-secure/event-4779.md new file mode 100644 index 0000000000..f3b2dc262b --- /dev/null +++ b/windows/keep-secure/event-4779.md @@ -0,0 +1,139 @@ +--- +title: 4779(S) A session was disconnected from a Window Station. (Windows 10) +description: Describes security event 4779(S) A session was disconnected from a Window Station. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4779(S): A session was disconnected from a Window Station. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: machine name from which the session was disconnected. Has “**Unknown”** value for console session.
+
+
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the session was disconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4779(S): A session was disconnected from a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.
For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.
If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console. + +- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring). + +- To ensure that connections are made only from your internal IP address list, monitor the **Additional Information\\Client Address** in this event. + diff --git a/windows/keep-secure/event-4780.md b/windows/keep-secure/event-4780.md new file mode 100644 index 0000000000..3aef6e6a3a --- /dev/null +++ b/windows/keep-secure/event-4780.md @@ -0,0 +1,59 @@ +--- +title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10) +description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4780(S): The ACL was set on accounts which are members of administrators groups. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. + +For some reason, this event doesn’t generate on some OS versions. + +***Subcategory:*** [Audit User Account Management](audit-user-account-management.md) + +***Event Schema:*** + +*The ACL was set on accounts which are members of administrators groups.* + +*Subject:* + +> *Security ID:%4* +> +> *Account Name:%5* +> +> *Account Domain:%6* +> +> *Logon ID:%7* + +*Target Account:* + +> *Security ID:%3* +> +> *Account Name:%1* +> +> *Account Domain:%2* + +*Additional Information:* + +> *Privileges:%8* + +***Required Server Roles:*** Active Directory domain controller. + +***Minimum OS Version:*** Windows Server 2008. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +- Monitor for this event and investigate why the object’s ACL was changed. + diff --git a/windows/keep-secure/event-4781.md b/windows/keep-secure/event-4781.md new file mode 100644 index 0000000000..ae172e368c --- /dev/null +++ b/windows/keep-secure/event-4781.md @@ -0,0 +1,127 @@ +--- +title: 4781(S) The name of an account was changed. (Windows 10) +description: Describes security event 4781(S) The name of an account was changed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4781(S): The name of an account was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user or computer account name (**sAMAccountName** attribute) is changed.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx).
+
+Typically **“Subject\\Security ID”** is the SYSTEM account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/en-us/library/aa370661(VS.85).aspx) is called.
+
+The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
+
+This event, for example, generates during Directory Services Restore Mode ([DSRM](http://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
+
+This event generates on the computer where Password Policy Checking API was called.
+
+Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4798(S): A user's local group membership was enumerated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high value domain or local accounts for which you need to monitor each enumeration of their group membership, or any access attempt, monitor events with the **“Subject\\Security ID”** that corresponds to the high value account or accounts.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4799.md b/windows/keep-secure/event-4799.md
new file mode 100644
index 0000000000..7673abf0a6
--- /dev/null
+++ b/windows/keep-secure/event-4799.md
@@ -0,0 +1,135 @@
+---
+title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
+description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4799(S): A security-enabled local group membership was enumerated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates the members of a security-enabled local group on the computer or device.
+
+This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4799(S): A security-enabled local group membership was enumerated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical local security groups in the organization, and need to specifically monitor these groups for any access (in this case, enumeration of group membership), monitor events with the “**Group\\Group Name”** values that correspond to the critical local security groups. Examples of critical local groups are built-in local administrators, built-in backup operators, and so on.
+
+- If you need to monitor each time the membership is enumerated for a local or domain security group, to see who enumerated the membership and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
diff --git a/windows/keep-secure/event-4800.md b/windows/keep-secure/event-4800.md
new file mode 100644
index 0000000000..bba6681e18
--- /dev/null
+++ b/windows/keep-secure/event-4800.md
@@ -0,0 +1,101 @@
+---
+title: 4800(S) The workstation was locked. (Windows 10)
+description: Describes security event 4800(S) The workstation was locked.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4800(S): The workstation was locked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a workstation was locked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4800(S): The workstation was locked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a machine was locked, and which account was used to lock it.
+
diff --git a/windows/keep-secure/event-4801.md b/windows/keep-secure/event-4801.md
new file mode 100644
index 0000000000..28e2f207b6
--- /dev/null
+++ b/windows/keep-secure/event-4801.md
@@ -0,0 +1,101 @@
+---
+title: 4801(S) The workstation was unlocked. (Windows 10)
+description: Describes security event 4801(S) The workstation was unlocked.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4801(S): The workstation was unlocked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when workstation was unlocked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4801(S): The workstation was unlocked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a machine was unlocked, and which account was used to unlock it.
+
diff --git a/windows/keep-secure/event-4802.md b/windows/keep-secure/event-4802.md
new file mode 100644
index 0000000000..c4b49527e7
--- /dev/null
+++ b/windows/keep-secure/event-4802.md
@@ -0,0 +1,101 @@
+---
+title: 4802(S) The screen saver was invoked. (Windows 10)
+description: Describes security event 4802(S) The screen saver was invoked.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4802(S): The screen saver was invoked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was invoked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4802(S): The screen saver was invoked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a screen saver was invoked on a machine, and which account invoked it.
+
diff --git a/windows/keep-secure/event-4803.md b/windows/keep-secure/event-4803.md
new file mode 100644
index 0000000000..118d94f09a
--- /dev/null
+++ b/windows/keep-secure/event-4803.md
@@ -0,0 +1,101 @@
+---
+title: 4803(S) The screen saver was dismissed. (Windows 10)
+description: Describes security event 4803(S) The screen saver was dismissed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4803(S): The screen saver was dismissed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was dismissed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4803(S): The screen saver was dismissed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a screen saver was dismissed on a machine, and which account dismissed it.
+
diff --git a/windows/keep-secure/event-4816.md b/windows/keep-secure/event-4816.md
new file mode 100644
index 0000000000..9d90f07c17
--- /dev/null
+++ b/windows/keep-secure/event-4816.md
@@ -0,0 +1,43 @@
+---
+title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
+description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This message generates if RPC detected an integrity violation while decrypting an incoming message.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*RPC detected an integrity violation while decrypting an incoming message.*
+
+*Peer Name: %1*
+
+*Protocol Sequence: %2*
+
+*Security Error: %3*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-4817.md b/windows/keep-secure/event-4817.md
new file mode 100644
index 0000000000..614adbf442
--- /dev/null
+++ b/windows/keep-secure/event-4817.md
@@ -0,0 +1,246 @@
+---
+title: 4817(S) Auditing settings on object were changed. (Windows 10)
+description: Describes security event 4817(S) Auditing settings on object were changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4817(S): Auditing settings on object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/en-us/library/dd772630(v=ws.10).aspx) policy is changed on a computer.
+
+Separate events will be generated for “Registry” and “File system” policy changes.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Central Policy Staging](audit-central-access-policy-staging.md)
+
+***Event Description:***
+
+This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Current Central Access Policy results:**
+
+- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS. + +The possible REQUESTED\_ACCESS values are listed in the table below. + +## Table of file access codes + +| Access | Hexadecimal Value | Description | +|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8 | The right to read extended file attributes. | +| WriteEA | 0x10 | The right to write extended file attributes. | +| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80 | The right to read file attributes. | +| WriteAttributes | 0x100 | The right to write file attributes. | +| DELETE | 0x10000 | The right to delete the object. | +| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000
| The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +- RESULT: + + - Granted by + + - Denied by + + - Granted by ACE on parent folder + + - Not granted due to missing – after this sentence you will typically see missing user rights, for example SeSecurityPrivilege. + + - Unknown or unchecked + +- ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS: + + - Ownership – if access was granted because of ownership of an object. + + - User Right name, for example SeSecurityPrivilege. + + - The [Security Descriptor Definition Language](event-5145.md#sddl-values-for-access-control-entry) (SDDL) value for the Access Control Entry (ACE) that granted or denied access. + +**Proposed Central Access Policy results that differ from the current Central Access Policy results:** + +- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:
+ +REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule. + +The possible REQUESTED\_ACCESS values are listed in the table below: + +| Access | Hexadecimal Value | Description | +|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8 | The right to read extended file attributes. | +| WriteEA | 0x10 | The right to write extended file attributes. | +| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80 | The right to read file attributes. | +| WriteAttributes | 0x100 | The right to write file attributes. | +| DELETE | 0x10000 | The right to delete the object. | +| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000
| The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +- RULE\_NAME: the name of Central Access Rule which denied the access. + +## Security Monitoring Recommendations + +For 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. + +- This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic Access Control. + diff --git a/windows/keep-secure/event-4819.md b/windows/keep-secure/event-4819.md new file mode 100644 index 0000000000..14613c4b7a --- /dev/null +++ b/windows/keep-secure/event-4819.md @@ -0,0 +1,135 @@ +--- +title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10) +description: Describes security event 4819(S) Central Access Policies on the machine have been changed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4819(S): Central Access Policies on the machine have been changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on the machine have been changed.
+
+For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) was applied to the machine via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings.
+
+This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when new trusted forest information entry was added.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 2 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. | +| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | +| 4 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | + +- **Top Level Name** \[Type = UnicodeString\]: the name of the new trusted forest information entry. + +- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”. + +## Security Monitoring Recommendations + +For 4865(S): A trusted forest information entry was added. + +- Any changes related to Active Directory forest trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4866.md b/windows/keep-secure/event-4866.md new file mode 100644 index 0000000000..bc7752fc7b --- /dev/null +++ b/windows/keep-secure/event-4866.md @@ -0,0 +1,150 @@ +--- +title: 4866(S) A trusted forest information entry was removed. (Windows 10) +description: Describes security event 4866(S) A trusted forest information entry was removed. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4866(S): A trusted forest information entry was removed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trusted forest information entry was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 2 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. | +| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | +| 4 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | + +- **Top Level Name** \[Type = UnicodeString\]: the name of the removed trusted forest information entry. + +- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”. + +## Security Monitoring Recommendations + +For 4866(S): A trusted forest information entry was removed. + +- Any changes related to Active Directory forest trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4867.md b/windows/keep-secure/event-4867.md new file mode 100644 index 0000000000..73c7e92586 --- /dev/null +++ b/windows/keep-secure/event-4867.md @@ -0,0 +1,152 @@ +--- +title: 4867(S) A trusted forest information entry was modified. (Windows 10) +description: Describes security event 4867(S) A trusted forest information entry was modified. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4867(S): A trusted forest information entry was modified. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates the trusted forest information entry was modified.
+
+This event is generated only on domain controllers.
+
+This event contains new values only, it doesn’t contains old values and it doesn’t show you which trust attributes were modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 2 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. | +| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | +| 4 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | + +- **Top Level Name** \[Type = UnicodeString\]: the name of the modified trusted forest information entry. + +- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”. + +## Security Monitoring Recommendations + +For 4867(S): A trusted forest information entry was modified. + +- Any changes in Active Directory forest trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4902.md b/windows/keep-secure/event-4902.md new file mode 100644 index 0000000000..b6cf1ebb77 --- /dev/null +++ b/windows/keep-secure/event-4902.md @@ -0,0 +1,80 @@ +--- +title: 4902(S) The Per-user audit policy table was created. (Windows 10) +description: Describes security event 4902(S) The Per-user audit policy table was created. +ms.pagetype: security +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4902(S): The Per-user audit policy table was created. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates during system startup if Per-user audit policy is defined on the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Policy ID** \[Type = HexInt64\]: unique per-User Audit Policy hexadecimal identifier.
+
+## Security Monitoring Recommendations
+
+For 4902(S): The Per-user audit policy table was created.
+
+- If you don’t expect to see any per-User Audit Policies enabled on specific computers (**Computer**), monitor for these events.
+
+- If you don’t use per-User Audit Policies in your network, monitor for these events.
+
+- Typically this is an informational event and has little to no security relevance.
+
diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md
new file mode 100644
index 0000000000..5f46d6c131
--- /dev/null
+++ b/windows/keep-secure/event-4904.md
@@ -0,0 +1,132 @@
+---
+title: 4904(S) An attempt was made to register a security event source. (Windows 10)
+description: Describes security event 4904(S) An attempt was made to register a security event source.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4904(S): An attempt was made to register a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a new [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is registered.
+
+You can typically see this event during system startup, if specific roles (Internet Information Services, for example) are installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Event Source:**
+
+- **Source Name** \[Type = UnicodeString\]: the name of registered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+ 
+
+- **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of registered security event source.
+
+## Security Monitoring Recommendations
+
+For 4904(S): An attempt was made to register a security event source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a pre-defined list of allowed security event sources for specific computers or computer types, then you can use this event and check whether “**Event Source\\Source Name**”is in your defined list.
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-4905.md b/windows/keep-secure/event-4905.md
new file mode 100644
index 0000000000..222fd0f263
--- /dev/null
+++ b/windows/keep-secure/event-4905.md
@@ -0,0 +1,132 @@
+---
+title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
+description: Describes security event 4905(S) An attempt was made to unregister a security event source.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4905(S): An attempt was made to unregister a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is unregistered.
+
+You typically see this event if specific roles were removed, for example, Internet Information Services.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Event Source:**
+
+- **Source Name** \[Type = UnicodeString\]: the name of unregistered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+
+
+- **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of unregistered security event source.
+
+## Security Monitoring Recommendations
+
+For 4905(S): An attempt was made to unregister a security event source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a list of critical security event sources which should never have been unregistered, then you can use this event and check the “**Event Source\\Source Name**.”
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-4906.md b/windows/keep-secure/event-4906.md
new file mode 100644
index 0000000000..9232c75a41
--- /dev/null
+++ b/windows/keep-secure/event-4906.md
@@ -0,0 +1,81 @@
+---
+title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
+description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4906(S): The CrashOnAuditFail value has changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time **CrashOnAuditFail** audit flag value was modified.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about **CrashOnAuditFail** flag can be found [here](https://technet.microsoft.com/en-us/library/cc963220.aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) of an object (for example, a registry key or file) was changed.
+
+This event doesn't generate for Active Directory objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Auditing Settings:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Special Groups logon table was modified.
+
+This event also generates during system startup.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about Special Groups auditing can be found here:
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4908(S): Special Groups Logon table modified.
+
+- If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Special Groups feature, then this event should be always monitored because it indicates use of the Special Groups feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4909.md b/windows/keep-secure/event-4909.md
new file mode 100644
index 0000000000..650d9bbf8c
--- /dev/null
+++ b/windows/keep-secure/event-4909.md
@@ -0,0 +1,21 @@
+---
+title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4909(-) The local policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4909(-): The local policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4910.md b/windows/keep-secure/event-4910.md
new file mode 100644
index 0000000000..f167349c1b
--- /dev/null
+++ b/windows/keep-secure/event-4910.md
@@ -0,0 +1,21 @@
+---
+title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4910(-) The group policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4910(-): The group policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md
new file mode 100644
index 0000000000..39d00ba5ee
--- /dev/null
+++ b/windows/keep-secure/event-4911.md
@@ -0,0 +1,282 @@
+---
+title: 4911(S) Resource attributes of the object were changed. (Windows 10)
+description: Describes security event 4911(S) Resource attributes of the object were changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4911(S): Resource attributes of the object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [resource attributes](http://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
+
+Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Resource Attributes:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old resource attributes.
+
+ For example: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+ - Impact\_MS: Resource Property ***ID***.
+
+ - 3000: Recourse Property ***Value***.
+
+
+
+> If no resource attributes were set to the object, then SDDL will not contain any attributes, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time [Per User Audit Policy](http://windowsitpro.com/systems-management/user-auditing-28-jun-2005) was changed.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Changes** \[Type = UnicodeString\]**:** changes which were made for the subcategory. Possible values are:
+
+ - Success include removed
+
+ - Success include added
+
+ - Failure include removed
+
+ - Failure include added
+
+ - Success exclude removed
+
+ - Success exclude added
+
+ - Failure exclude removed
+
+ - Failure exclude added
+
+## Security Monitoring Recommendations
+
+For 4912(S): Per User Audit Policy was changed.
+
+- If you use the Per-user audit feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Per-user audit feature, then this event should be always monitored because it indicates use of the Per-user audit feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4913.md b/windows/keep-secure/event-4913.md
new file mode 100644
index 0000000000..b34355d236
--- /dev/null
+++ b/windows/keep-secure/event-4913.md
@@ -0,0 +1,288 @@
+---
+title: 4913(S) Central Access Policy on the object was changed. (Windows 10)
+description: Describes security event 4913(S) Central Access Policy on the object was changed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4913(S): Central Access Policy on the object was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when a [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on a file system object is changed.
+
+This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Central Policy ID:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
+
+ SDDL contains Central Access Policy SID, here is an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name you need to do the following:
+
+1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
+
+2. Open object’s “**Properties**”.
+
+3. Find “**msAuthz-CentralAccessPolicyID**” attribute.
+
+4. Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: 
+
+> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time a new Active Directory replica source naming context is established.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: 
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was removed.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica destination naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has begun.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has ended.
+
+Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates when Active Directory replication failure begins.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy.
+
+**Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]:
+
+- **Enabled** - if “**Allow unicast response:**” Settings configuration was set to “Yes” for “Public” profile.
+
+- **Disabled** - if “**Allow unicast response:**” Settings configuration was set to “No” for “Public” profile.
+
+
+
+**Security Logging:**
+
+- **Log Dropped Packets** \[Type = UnicodeString\]:
+
+ - **Enabled** – if “**Log dropped packets:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+- **Log Successful Connections** \[Type = UnicodeString\]:
+
+ - **Enabled** - if “**Log successful connections:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+
+
+## Security Monitoring Recommendations
+
+For 4944(S): The following policy was active when the Windows Firewall started.
+
+- If you have a standard or baseline for Windows Firewall settings defined for **Public** profile (which can be the same as for Domain, for example), monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4945.md b/windows/keep-secure/event-4945.md
new file mode 100644
index 0000000000..1b94b91fbc
--- /dev/null
+++ b/windows/keep-secure/event-4945.md
@@ -0,0 +1,91 @@
+---
+title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10)
+description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4945(S): A rule was listed when the Windows Firewall started.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile.
+
+This event generates per rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4945(S): A rule was listed when the Windows Firewall started.
+
+- Typically this event has an informational purpose.
+
+- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4946.md b/windows/keep-secure/event-4946.md
new file mode 100644
index 0000000000..f73ca913a6
--- /dev/null
+++ b/windows/keep-secure/event-4946.md
@@ -0,0 +1,101 @@
+---
+title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)
+description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when new rule was locally added to Windows Firewall.
+
+This event doesn't generate when new rule was added via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+- This event can be helpful in case you want to monitor all creations of new Firewall rules which were done locally.
+
diff --git a/windows/keep-secure/event-4947.md b/windows/keep-secure/event-4947.md
new file mode 100644
index 0000000000..f3381e95ba
--- /dev/null
+++ b/windows/keep-secure/event-4947.md
@@ -0,0 +1,101 @@
+---
+title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10)
+description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was modified.
+
+This event doesn't generate when Firewall rule was modified via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+
diff --git a/windows/keep-secure/event-4948.md b/windows/keep-secure/event-4948.md
new file mode 100644
index 0000000000..034b9e1149
--- /dev/null
+++ b/windows/keep-secure/event-4948.md
@@ -0,0 +1,101 @@
+---
+title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10)
+description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was deleted.
+
+This event doesn't generate when the rule was deleted via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+- This event can be helpful in case you want to monitor all deletions of Firewall rules which were done locally.
+
diff --git a/windows/keep-secure/event-4949.md b/windows/keep-secure/event-4949.md
new file mode 100644
index 0000000000..2441529ec2
--- /dev/null
+++ b/windows/keep-secure/event-4949.md
@@ -0,0 +1,67 @@
+---
+title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10)
+description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4949(S): Windows Firewall settings were restored to the default values.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall settings were locally restored to the default configuration.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall local setting was changed.
+
+This event doesn't generate when Windows Firewall setting was changed via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Value** \[Type = UnicodeString\]: new value of modified setting.
+
+## Security Monitoring Recommendations
+
+For 4950(S): A Windows Firewall setting has changed.
+
+- If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally.
+
diff --git a/windows/keep-secure/event-4951.md b/windows/keep-secure/event-4951.md
new file mode 100644
index 0000000000..1878549111
--- /dev/null
+++ b/windows/keep-secure/event-4951.md
@@ -0,0 +1,103 @@
+---
+title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10)
+description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4952.md b/windows/keep-secure/event-4952.md
new file mode 100644
index 0000000000..496d4e324e
--- /dev/null
+++ b/windows/keep-secure/event-4952.md
@@ -0,0 +1,51 @@
+---
+title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
+description: Describes security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Schema:***
+
+*Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.*
+
+*%t*
+
+*Profile:%t%1*
+
+*Partially Ignored Rule:*
+
+*%tID:%t%2*
+
+*%tName:%t%3*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4953.md b/windows/keep-secure/event-4953.md
new file mode 100644
index 0000000000..ba5cea430d
--- /dev/null
+++ b/windows/keep-secure/event-4953.md
@@ -0,0 +1,104 @@
+---
+title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10)
+description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason.
+
+It can happen if Windows Firewall rule registry entry was corrupted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4953(F): Windows Firewall ignored a rule because it could not be parsed.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4954.md b/windows/keep-secure/event-4954.md
new file mode 100644
index 0000000000..fcf80a82d3
--- /dev/null
+++ b/windows/keep-secure/event-4954.md
@@ -0,0 +1,67 @@
+---
+title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10)
+description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall group policy is changed, locally or from Active Directory Group Policy.
+
+This event generates every time local Group Policy is refreshed, even if no Windows Firewall settings were modified or presented.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall has changed the active profile.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was not applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+**Error Information:**
+
+- **Reason** \[Type = UnicodeString\]: the reason why the rule was not applied.
+
+## Security Monitoring Recommendations
+
+For 4957(F): Windows Firewall did not apply the following rule.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4958.md b/windows/keep-secure/event-4958.md
new file mode 100644
index 0000000000..7ef6e67cbe
--- /dev/null
+++ b/windows/keep-secure/event-4958.md
@@ -0,0 +1,43 @@
+---
+title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10)
+description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Schema:***
+
+*Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
+Rule Information:
+%tID:%t%1
+%tName:%t%2
+Error Information:
+%tError:%t%3
+%tReason:%t%4*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4964.md b/windows/keep-secure/event-4964.md
new file mode 100644
index 0000000000..8584a902c5
--- /dev/null
+++ b/windows/keep-secure/event-4964.md
@@ -0,0 +1,159 @@
+---
+title: 4964(S) Special groups have been assigned to a new logon. (Windows 10)
+description: Describes security event 4964(S) Special groups have been assigned to a new logon.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4964(S): Special groups have been assigned to a new logon.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event occurs when an account that is a member of any defined [Special Group](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md), [Audit Other Privilege Use Events](audit-other-privilege-use-events.md), and [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4985(S): The state of a transaction has changed.
+
+- This event typically has no security relevance and used for [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx) troubleshooting.
+
diff --git a/windows/keep-secure/event-5024.md b/windows/keep-secure/event-5024.md
new file mode 100644
index 0000000000..372ee3b767
--- /dev/null
+++ b/windows/keep-secure/event-5024.md
@@ -0,0 +1,69 @@
+---
+title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10)
+description: Describes security event 5024(S) The Windows Firewall Service has started successfully.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5024(S): The Windows Firewall Service has started successfully.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has been stopped.
+
+This event is typically logged during operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5028](event-5028.md)(S): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5027](event-5027.md)(S): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
+
+If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) was stopped.
+
+This event is NOT logged during the operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+You can see these events, for example, during certificate renewal or export operations using KSP.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Key File Operation Information:**
+
+- **File Path** \[Type = UnicodeString\]: full path and filename of the key file on which the operation was performed.
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - Write persisted key to file.
+
+ - Read persisted key from file.
+
+ - Delete key file.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5058(S, F): Key file operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md
new file mode 100644
index 0000000000..1e5424b033
--- /dev/null
+++ b/windows/keep-secure/event-5059.md
@@ -0,0 +1,156 @@
+---
+title: 5059(S, F) Key migration operation. (Windows 10)
+description: Describes security event 5059(S, F) Key migration operation.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5059(S, F): Key migration operation.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Additional Information:**
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - “**Export of persistent cryptographic key.**” – typically generates during key read operations, which means that the key was taken for read purposes. But it also generates during real key export operations (export certificate with private key, for example).
+
+ - “**Import of persistent cryptographic key.**” – key import operation was performed (import certificate with private key, for example).
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5059(S, F): Key migration operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Export of persistent cryptographic key”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+-
+
diff --git a/windows/keep-secure/event-5060.md b/windows/keep-secure/event-5060.md
new file mode 100644
index 0000000000..5a3b66e7da
--- /dev/null
+++ b/windows/keep-secure/event-5060.md
@@ -0,0 +1,75 @@
+'---
+title: 5060(F) Verification operation failed. (Windows 10)
+description: Describes security event 5060(F) Verification operation failed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5060(F): Verification operation failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in case of CNG verification operation failure.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+- 
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Description:***
+
+This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Cryptographic Operation:**
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Possible values:
+
+ - Open Key. – open existing cryptographic key.
+
+ - Create Key. – create new cryptographic key.
+
+ - Delete Key. – delete existing cryptographic key.
+
+ - Sign hash. – cryptographic signing operation.
+
+ - Secret agreement.
+
+ - Key Derivation. – key derivation operation.
+
+ - Encrypt. – encryption operation.
+
+ - Decrypt. – decryption operation.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5061(S, F): Cryptographic operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Delete Key”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5062.md b/windows/keep-secure/event-5062.md
new file mode 100644
index 0000000000..3b07e9e43c
--- /dev/null
+++ b/windows/keep-secure/event-5062.md
@@ -0,0 +1,39 @@
+---
+title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10)
+description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5062(S): A kernel-mode cryptographic self-test was performed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event occurs rarely, and in some situations may be difficult to reproduce.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*A kernel-mode cryptographic self test was performed.*
+
+*Module:%1*
+
+*Return Code:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5063.md b/windows/keep-secure/event-5063.md
new file mode 100644
index 0000000000..113f459251
--- /dev/null
+++ b/windows/keep-secure/event-5063.md
@@ -0,0 +1,69 @@
+---
+title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10)
+description: Describes security event 5063(S, F) A cryptographic provider operation was attempted.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5063(S, F): A cryptographic provider operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions.
+
+This event generates when cryptographic provider was registered or unregistered.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+- 
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is modified.
+
+To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes.
+
+For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is created.
+
+This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx).
+
+This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is moved.
+
+This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was accessed.
+
+This event generates once per session, when first access attempt was made.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is deleted.
+
+This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5141(S): A directory service object was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
+
+- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
+
diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md
new file mode 100644
index 0000000000..291378d2ee
--- /dev/null
+++ b/windows/keep-secure/event-5142.md
@@ -0,0 +1,106 @@
+---
+title: 5142(S) A network share object was added. (Windows 10)
+description: Describes security event 5142(S) A network share object was added.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5142(S): A network share object was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was added.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **New Maxusers** \[Type = HexInt32\]**:** new hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **Old ShareFlags** \[Type = HexInt32\]: old hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+
+
+- **New ShareFlags** \[Type = HexInt32\]: new hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+- **Old SD** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time a network share object is deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed File Share](audit-detailed-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object (file or folder) was accessed.
+
+*Important*: Failure events are generated only when access is denied at the file share level. No events are generated if access was denied on the file system (NTFS) level.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Schema Value | Description | +|-----------------------------------------------------------|----------------------------|---------------| +| ReadData (or ListDirectory) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +> Table 13. File access codes. + +**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:
+ +REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. + +- REQUESTED\_ACCESS – the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic. + +- RESULT: + + - Granted by – if access was granted. + + - Denied by – if access was denied. + +- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access. + +> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. + +> Example: + +> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) + +> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. +> See the list of possible values in the table below. + +## SDDL values for Access Control Entry + +| Value | Description | Value | Description | +|-------|--------------------------------------|-------|---------------------------------| +| "AO" | Account operators | "PA" | Group Policy administrators | +| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user | +| "AN" | Anonymous logon | "LA" | Local administrator | +| "AU" | Authenticated users | "LG" | Local guest | +| "BA" | Built-in administrators | "LS" | Local service account | +| "BG" | Built-in guests | "SY" | Local system | +| "BO" | Backup operators | "NU" | Network logon user | +| "BU" | Built-in users | "NO" | Network configuration operators | +| "CA" | Certificate server administrators | "NS" | Network service account | +| "CG" | Creator group | "PO" | Printer operators | +| "CO" | Creator owner | "PS" | Personal self | +| "DA" | Domain administrators | "PU" | Power users | +| "DC" | Domain computers | "RS" | RAS servers group | +| "DD" | Domain controllers | "RD" | Terminal server users | +| "DG" | Domain guests | "RE" | Replicator | +| "DU" | Domain users | "RC" | Restricted code | +| "EA" | Enterprise administrators | "SA" | Schema administrators | +| "ED" | Enterprise domain controllers | "SO" | Server operators | +| "WD" | Everyone | "SU" | Service logon user | + +- *G*: = Primary Group. +- *D*: = DACL Entries. +- *S*: = SACL Entries. + +*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid) + +Example: D:(A;;FA;;;WD) + +- entry\_type: + +“D” - DACL + +“S” - SACL + +- inheritance\_flags: + +"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. + +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. + +"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. + +- ace\_type: + +"A" - ACCESS ALLOWED + +"D" - ACCESS DENIED + +"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s). + +"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s). + +"AU" - SYSTEM AUDIT + +"A" - SYSTEM ALARM + +"OU" - OBJECT SYSTEM AUDIT + +"OL" - OBJECT SYSTEM ALARM + +- ace\_flags: + +"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. + +"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. + +"NP" - NO PROPAGATE: only immediate children inherit this ace. + +"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance. + +"ID" - ACE IS INHERITED + +"SA" - SUCCESSFUL ACCESS AUDIT + +"FA" - FAILED ACCESS AUDIT +- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. + +| Value | Description | Value | Description | +|----------------------------|---------------------------------|----------------------|--------------------------| +| Generic access rights | Directory service access rights | +| "GA" | GENERIC ALL | "RC" | Read Permissions | +| "GR" | GENERIC READ | "SD" | Delete | +| "GW" | GENERIC WRITE | "WD" | Modify Permissions | +| "GX" | GENERIC EXECUTE | "WO" | Modify Owner | +| File access rights | "RP" | Read All Properties | +| "FA" | FILE ALL ACCESS | "WP" | Write All Properties | +| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects | +| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects | +| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents | +| Registry key access rights | "SW" | All Validated Writes | +| "KA" | "LO" | "LO" | List Object | +| "K" | KEY READ | "DT" | Delete Subtree | +| "KW" | KEY WRITE | "CR" | All Extended Rights | +| "KX" | KEY EXECUTE | | | + +- object\_guid: N/A +- inherit\_object\_guid: N/A +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. + +For more information about SDDL syntax, see these articles:
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet.
+
+This event is generated for every received network packet.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the packet.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which packet was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+ 
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5152(F): The Windows Filtering Platform blocked a packet.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that **Source Address** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5153.md b/windows/keep-secure/event-5153.md
new file mode 100644
index 0000000000..9f5a9081bd
--- /dev/null
+++ b/windows/keep-secure/event-5153.md
@@ -0,0 +1,59 @@
+---
+title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Schema:***
+
+*A more restrictive Windows Filtering Platform filter has blocked a packet.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5154.md b/windows/keep-secure/event-5154.md
new file mode 100644
index 0000000000..b5362105d2
--- /dev/null
+++ b/windows/keep-secure/event-5154.md
@@ -0,0 +1,144 @@
+---
+title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
+description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application requested to listen on the port.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+
+- **Protocol** \[Type = UInt32\]: protocol number. For example:
+
+ - 6 – TCP.
+
+ - 17 – UDP.
+
+ More information about possible values for this field:
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+
+- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
+
+- If a certain application is allowed to listen only on a specific IP address, monitor this event for **“Application Name”** and **“Network Information\\Source Address**.**”**
+
+- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-5155.md b/windows/keep-secure/event-5155.md
new file mode 100644
index 0000000000..1ab050cf24
--- /dev/null
+++ b/windows/keep-secure/event-5155.md
@@ -0,0 +1,61 @@
+---
+title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
+description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
+
+You can add your own filters using the WFP APIs to block listen to reproduce this event: 
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of allowed connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5156(S): The Windows Filtering Platform has permitted a connection.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5157.md b/windows/keep-secure/event-5157.md
new file mode 100644
index 0000000000..fe9fb634f0
--- /dev/null
+++ b/windows/keep-secure/event-5157.md
@@ -0,0 +1,185 @@
+---
+title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)
+description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5157(F): The Windows Filtering Platform has blocked a connection.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5157(F): The Windows Filtering Platform has blocked a connection.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5158.md b/windows/keep-secure/event-5158.md
new file mode 100644
index 0000000000..3f28870be7
--- /dev/null
+++ b/windows/keep-secure/event-5158.md
@@ -0,0 +1,156 @@
+---
+title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)
+description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5159.md b/windows/keep-secure/event-5159.md
new file mode 100644
index 0000000000..0904b2d8d5
--- /dev/null
+++ b/windows/keep-secure/event-5159.md
@@ -0,0 +1,59 @@
+---
+title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
+description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Schema:***
+
+*The Windows Filtering Platform has blocked a bind to a local port.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5168.md b/windows/keep-secure/event-5168.md
new file mode 100644
index 0000000000..f9f2941bb6
--- /dev/null
+++ b/windows/keep-secure/event-5168.md
@@ -0,0 +1,119 @@
+---
+title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
+description: Describes security event 5168(F) SPN check for SMB/SMB2 failed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5168(F): SPN check for SMB/SMB2 failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates when SMB SPN check fails.
+
+It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/en-us/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully backs up the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully restores the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates requested [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation policy.
+
+It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx) session was not set properly.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed.
+
+It typically generates during Group Policy update procedures.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wireless network.
+
+It typically generates when network adapter connects to new wireless network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Local MAC Address** \[Type = UnicodeString\]**:** local interface’s MAC-address.
+
+- **Peer MAC Address** \[Type = UnicodeString\]**:** peer’s (typically – access point) MAC-address.
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: 
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wired network.
+
+It typically generates when network adapter connects to new wired network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: 
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was modified.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx).
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
+
+It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
+
+This event generates every time Group Policy is applied to the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6144(S): Security policy in the group policy objects has been applied successfully.
+
+- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert.
+
+- This event is mostly an informational event.
+
diff --git a/windows/keep-secure/event-6145.md b/windows/keep-secure/event-6145.md
new file mode 100644
index 0000000000..440684ab1d
--- /dev/null
+++ b/windows/keep-secure/event-6145.md
@@ -0,0 +1,88 @@
+---
+title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
+description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
+
+This event generates, for example, if the [SID](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+- This event indicates that Group Policy Objects which were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
+
+- If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure.
+
+- Typically this event has an informational purpose and the reason is configuration errors in Group Policy’s security settings.
+
+- This event might be used for Group Policy troubleshooting purposes.
+
diff --git a/windows/keep-secure/event-6281.md b/windows/keep-secure/event-6281.md
new file mode 100644
index 0000000000..3e5e8b369e
--- /dev/null
+++ b/windows/keep-secure/event-6281.md
@@ -0,0 +1,43 @@
+---
+title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)
+description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+This event generates when [code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.*
+
+*File Name:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-6400.md b/windows/keep-secure/event-6400.md
new file mode 100644
index 0000000000..3dfd20b90a
--- /dev/null
+++ b/windows/keep-secure/event-6400.md
@@ -0,0 +1,39 @@
+---
+title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)
+description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
+
+*IP address of the client that sent this response:%1 *
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6401.md b/windows/keep-secure/event-6401.md
new file mode 100644
index 0000000000..d9f9af15e8
--- /dev/null
+++ b/windows/keep-secure/event-6401.md
@@ -0,0 +1,39 @@
+---
+title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)
+description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Received invalid data from a peer. Data discarded. *
+
+*IP address of the client that sent this data:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6402.md b/windows/keep-secure/event-6402.md
new file mode 100644
index 0000000000..1aacc012a3
--- /dev/null
+++ b/windows/keep-secure/event-6402.md
@@ -0,0 +1,39 @@
+---
+title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)
+description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
+
+*IP address of the client that sent this message: %1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6403.md b/windows/keep-secure/event-6403.md
new file mode 100644
index 0000000000..60b2123425
--- /dev/null
+++ b/windows/keep-secure/event-6403.md
@@ -0,0 +1,39 @@
+---
+title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)
+description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. *
+
+*Domain name of the hosted cache is:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6404.md b/windows/keep-secure/event-6404.md
new file mode 100644
index 0000000000..2cdc4ef54c
--- /dev/null
+++ b/windows/keep-secure/event-6404.md
@@ -0,0 +1,41 @@
+---
+title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)
+description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
+
+*Domain name of the hosted cache:%1*
+
+*Error Code:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6405.md b/windows/keep-secure/event-6405.md
new file mode 100644
index 0000000000..696f837a08
--- /dev/null
+++ b/windows/keep-secure/event-6405.md
@@ -0,0 +1,37 @@
+---
+title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)
+description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: %2 instance(s) of event id %1 occurred.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6406.md b/windows/keep-secure/event-6406.md
new file mode 100644
index 0000000000..ca1f2b9601
--- /dev/null
+++ b/windows/keep-secure/event-6406.md
@@ -0,0 +1,39 @@
+---
+title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)
+description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*%1 registered to Windows Firewall to control filtering for the following:*
+
+*%2.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6407.md b/windows/keep-secure/event-6407.md
new file mode 100644
index 0000000000..30149be4fd
--- /dev/null
+++ b/windows/keep-secure/event-6407.md
@@ -0,0 +1,37 @@
+---
+title: 6407(-) 1%. (Windows 10)
+description: Describes security event 6407(-) 1%.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6407(-): 1%.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6408.md b/windows/keep-secure/event-6408.md
new file mode 100644
index 0000000000..f968473bbd
--- /dev/null
+++ b/windows/keep-secure/event-6408.md
@@ -0,0 +1,37 @@
+---
+title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10)
+description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6409.md b/windows/keep-secure/event-6409.md
new file mode 100644
index 0000000000..bc69be15aa
--- /dev/null
+++ b/windows/keep-secure/event-6409.md
@@ -0,0 +1,39 @@
+---
+title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10)
+description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6409(-): BranchCache: A service connection point object could not be parsed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: A service connection point object could not be parsed. *
+
+*SCP object GUID: %1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6410.md b/windows/keep-secure/event-6410.md
new file mode 100644
index 0000000000..95a4a6daed
--- /dev/null
+++ b/windows/keep-secure/event-6410.md
@@ -0,0 +1,43 @@
+---
+title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)
+description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+This event generates due to writable [shared sections](https://msdn.microsoft.com/en-us/library/windows/desktop/cc307397.aspx) being present in a file image.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.*
+
+*File Name:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012 R2, Windows 8.1.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
+
+
diff --git a/windows/keep-secure/event-6416.md b/windows/keep-secure/event-6416.md
new file mode 100644
index 0000000000..18237f7cc4
--- /dev/null
+++ b/windows/keep-secure/event-6416.md
@@ -0,0 +1,154 @@
+---
+title: 6416(S) A new external device was recognized by the System. (Windows 10)
+description: Describes security event 6416(S) A new external device was recognized by the System.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6416(S): A new external device was recognized by the System.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time a new external device is recognized by a system.
+
+This event generates, for example, when a new external device is connected or enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\] \[Version 1\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\] \[Version 1\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Vendor IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6416(S): A new external device was recognized by the System.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-----------------------------------------------------|----------------------------|
+| Device recognition events, **Device Instance Path** | “**Device ID**” |
+| Device recognition events, **Device Description** | “**Device Name**” |
+| Device recognition events, **Class GUID** | “**Class ID**” |
+| Device recognition events, **Hardware IDs** | “**Vendor IDs**” |
+| Device recognition events, **Compatible IDs** | “**Compatible IDs**” |
+| Device recognition events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md
new file mode 100644
index 0000000000..c34be4a0ec
--- /dev/null
+++ b/windows/keep-secure/event-6419.md
@@ -0,0 +1,142 @@
+---
+title: 6419(S) A request was made to disable a device. (Windows 10)
+description: Describes security event 6419(S) A request was made to disable a device.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6419(S): A request was made to disable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to disable a device.
+
+This event doesn’t mean that device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6419(S): A request was made to disable a device.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|---------------------------------------------------|----------------------------|
+| Device disable requests, **Device Instance Path** | “**Device ID**” |
+| Device disable requests, **Device Description** | “**Device Name**” |
+| Device disable requests, **Class GUID** | “**Class ID**” |
+| Device disable requests, **Hardware IDs** | “**Hardware IDs**” |
+| Device disable requests, **Compatible IDs** | “**Compatible IDs**” |
+| Device disable requests, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6420.md b/windows/keep-secure/event-6420.md
new file mode 100644
index 0000000000..cc5ae0a245
--- /dev/null
+++ b/windows/keep-secure/event-6420.md
@@ -0,0 +1,140 @@
+---
+title: 6420(S) A device was disabled. (Windows 10)
+description: Describes security event 6420(S) A device was disabled.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6420(S): A device was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6420(S): A device was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-------------------------------------------------|----------------------------|
+| Device disable events, **Device Instance Path** | “**Device ID**” |
+| Device disable events, **Device Description** | “**Device Name**” |
+| Device disable events, **Class GUID** | “**Class ID**” |
+| Device disable events, **Hardware IDs** | “**Hardware IDs**” |
+| Device disable events, **Compatible IDs** | “**Compatible IDs**” |
+| Device disable events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6421.md b/windows/keep-secure/event-6421.md
new file mode 100644
index 0000000000..ec9290968a
--- /dev/null
+++ b/windows/keep-secure/event-6421.md
@@ -0,0 +1,142 @@
+---
+title: 6421(S) A request was made to enable a device. (Windows 10)
+description: Describes security event 6421(S) A request was made to enable a device.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6421(S): A request was made to enable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to enable a device.
+
+This event doesn’t mean that device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6421(S): A request was made to enable a device.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|--------------------------------------------------|----------------------------|
+| Device enable requests, **Device Instance Path** | “**Device ID**” |
+| Device enable requests, **Device Description** | “**Device Name**” |
+| Device enable requests, **Class GUID** | “**Class ID**” |
+| Device enable requests, **Hardware IDs** | “**Hardware IDs**” |
+| Device enable requests, **Compatible IDs** | “**Compatible IDs**” |
+| Device enable requests, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6422.md b/windows/keep-secure/event-6422.md
new file mode 100644
index 0000000000..c001a3c903
--- /dev/null
+++ b/windows/keep-secure/event-6422.md
@@ -0,0 +1,142 @@
+---
+title: 6422(S) A device was enabled. (Windows 10)
+description: Describes security event 6422(S) A device was enabled.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6422(S): A device was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6422(S): A device was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|------------------------------------------------|----------------------------|
+| Device enable events, **Device Instance Path** | “**Device ID**” |
+| Device enable events, **Device Description** | “**Device Name**” |
+| Device enable events, **Class GUID** | “**Class ID**” |
+| Device enable events, **Hardware IDs** | “**Hardware IDs**” |
+| Device enable events, **Compatible IDs** | “**Compatible IDs**” |
+| Device enable events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6423.md b/windows/keep-secure/event-6423.md
new file mode 100644
index 0000000000..1145307d13
--- /dev/null
+++ b/windows/keep-secure/event-6423.md
@@ -0,0 +1,148 @@
+---
+title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10)
+description: Describes security event 6423(S) The installation of this device is forbidden by system policy.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6423(S): The installation of this device is forbidden by system policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time installation of this device is forbidden by system policy.
+
+Device installation restriction group policies are located here: **\\Computer Configuration\\Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. If one of the policies restricts installation of a specific device, this event will be generated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6423(S): The installation of this device is forbidden by system policy.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you want to track device installation policy violations then you need to track every event of this type.
+
+
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the policy violations and related information shown in the following table by using the listed fields:
+
+| Policy violation and related information to monitor | Field to use |
+|-----------------------------------------------------------------|----------------------------|
+| Device installation policy violations, **Device Instance Path** | “**Device ID**” |
+| Device installation policy violations, **Device Description** | “**Device Name**” |
+| Device installation policy violations, **Class GUID** | “**Class ID**” |
+| Device installation policy violations, **Hardware IDs** | “**Hardware IDs**” |
+| Device installation policy violations, **Compatible IDs** | “**Compatible IDs**” |
+| Device installation policy violations, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6424.md b/windows/keep-secure/event-6424.md
new file mode 100644
index 0000000000..10c2a2eb9e
--- /dev/null
+++ b/windows/keep-secure/event-6424.md
@@ -0,0 +1,31 @@
+---
+title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10)
+description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event occurs rarely, and in some situations may be difficult to reproduce.
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/images/ad-sites-and-services.png b/windows/keep-secure/images/ad-sites-and-services.png
new file mode 100644
index 0000000000..74758aef69
Binary files /dev/null and b/windows/keep-secure/images/ad-sites-and-services.png differ
diff --git a/windows/keep-secure/images/adsi-edit.png b/windows/keep-secure/images/adsi-edit.png
new file mode 100644
index 0000000000..2d0c4d0af7
Binary files /dev/null and b/windows/keep-secure/images/adsi-edit.png differ
diff --git a/windows/keep-secure/images/advanced-sharing.png b/windows/keep-secure/images/advanced-sharing.png
new file mode 100644
index 0000000000..f72b7dd37b
Binary files /dev/null and b/windows/keep-secure/images/advanced-sharing.png differ
diff --git a/windows/keep-secure/images/auditpol-guid-list.png b/windows/keep-secure/images/auditpol-guid-list.png
new file mode 100644
index 0000000000..d69583ad89
Binary files /dev/null and b/windows/keep-secure/images/auditpol-guid-list.png differ
diff --git a/windows/keep-secure/images/auditpol-list-subcategory.png b/windows/keep-secure/images/auditpol-list-subcategory.png
new file mode 100644
index 0000000000..91f043fc24
Binary files /dev/null and b/windows/keep-secure/images/auditpol-list-subcategory.png differ
diff --git a/windows/keep-secure/images/auditpol-list-user.png b/windows/keep-secure/images/auditpol-list-user.png
new file mode 100644
index 0000000000..cabf86563d
Binary files /dev/null and b/windows/keep-secure/images/auditpol-list-user.png differ
diff --git a/windows/keep-secure/images/auditpol.png b/windows/keep-secure/images/auditpol.png
new file mode 100644
index 0000000000..cabf86563d
Binary files /dev/null and b/windows/keep-secure/images/auditpol.png differ
diff --git a/windows/keep-secure/images/branchcache-properties.png b/windows/keep-secure/images/branchcache-properties.png
new file mode 100644
index 0000000000..31f13be679
Binary files /dev/null and b/windows/keep-secure/images/branchcache-properties.png differ
diff --git a/windows/keep-secure/images/certutil-command.png b/windows/keep-secure/images/certutil-command.png
new file mode 100644
index 0000000000..ce60fa8034
Binary files /dev/null and b/windows/keep-secure/images/certutil-command.png differ
diff --git a/windows/keep-secure/images/computer-management.png b/windows/keep-secure/images/computer-management.png
new file mode 100644
index 0000000000..74548ab836
Binary files /dev/null and b/windows/keep-secure/images/computer-management.png differ
diff --git a/windows/keep-secure/images/diskpart.png b/windows/keep-secure/images/diskpart.png
new file mode 100644
index 0000000000..f2ebf04b35
Binary files /dev/null and b/windows/keep-secure/images/diskpart.png differ
diff --git a/windows/keep-secure/images/event-1100.png b/windows/keep-secure/images/event-1100.png
new file mode 100644
index 0000000000..aea16fdfc2
Binary files /dev/null and b/windows/keep-secure/images/event-1100.png differ
diff --git a/windows/keep-secure/images/event-1102.png b/windows/keep-secure/images/event-1102.png
new file mode 100644
index 0000000000..3d342a51fa
Binary files /dev/null and b/windows/keep-secure/images/event-1102.png differ
diff --git a/windows/keep-secure/images/event-1104.png b/windows/keep-secure/images/event-1104.png
new file mode 100644
index 0000000000..b275530d7a
Binary files /dev/null and b/windows/keep-secure/images/event-1104.png differ
diff --git a/windows/keep-secure/images/event-1105.png b/windows/keep-secure/images/event-1105.png
new file mode 100644
index 0000000000..cedf9019f6
Binary files /dev/null and b/windows/keep-secure/images/event-1105.png differ
diff --git a/windows/keep-secure/images/event-1108.png b/windows/keep-secure/images/event-1108.png
new file mode 100644
index 0000000000..aa55df090d
Binary files /dev/null and b/windows/keep-secure/images/event-1108.png differ
diff --git a/windows/keep-secure/images/event-4608.png b/windows/keep-secure/images/event-4608.png
new file mode 100644
index 0000000000..256605977f
Binary files /dev/null and b/windows/keep-secure/images/event-4608.png differ
diff --git a/windows/keep-secure/images/event-4610.png b/windows/keep-secure/images/event-4610.png
new file mode 100644
index 0000000000..0046d6c73d
Binary files /dev/null and b/windows/keep-secure/images/event-4610.png differ
diff --git a/windows/keep-secure/images/event-4611.png b/windows/keep-secure/images/event-4611.png
new file mode 100644
index 0000000000..f0721a4860
Binary files /dev/null and b/windows/keep-secure/images/event-4611.png differ
diff --git a/windows/keep-secure/images/event-4614.png b/windows/keep-secure/images/event-4614.png
new file mode 100644
index 0000000000..aaa731eacb
Binary files /dev/null and b/windows/keep-secure/images/event-4614.png differ
diff --git a/windows/keep-secure/images/event-4616.png b/windows/keep-secure/images/event-4616.png
new file mode 100644
index 0000000000..f33eb34fef
Binary files /dev/null and b/windows/keep-secure/images/event-4616.png differ
diff --git a/windows/keep-secure/images/event-4618.png b/windows/keep-secure/images/event-4618.png
new file mode 100644
index 0000000000..7e98ebf7d0
Binary files /dev/null and b/windows/keep-secure/images/event-4618.png differ
diff --git a/windows/keep-secure/images/event-4622.png b/windows/keep-secure/images/event-4622.png
new file mode 100644
index 0000000000..4283128955
Binary files /dev/null and b/windows/keep-secure/images/event-4622.png differ
diff --git a/windows/keep-secure/images/event-4624.png b/windows/keep-secure/images/event-4624.png
new file mode 100644
index 0000000000..f12908f0b0
Binary files /dev/null and b/windows/keep-secure/images/event-4624.png differ
diff --git a/windows/keep-secure/images/event-4625.png b/windows/keep-secure/images/event-4625.png
new file mode 100644
index 0000000000..4ca8559f18
Binary files /dev/null and b/windows/keep-secure/images/event-4625.png differ
diff --git a/windows/keep-secure/images/event-4626.png b/windows/keep-secure/images/event-4626.png
new file mode 100644
index 0000000000..9d2aa55f16
Binary files /dev/null and b/windows/keep-secure/images/event-4626.png differ
diff --git a/windows/keep-secure/images/event-4627.png b/windows/keep-secure/images/event-4627.png
new file mode 100644
index 0000000000..53e75a4a88
Binary files /dev/null and b/windows/keep-secure/images/event-4627.png differ
diff --git a/windows/keep-secure/images/event-4634.png b/windows/keep-secure/images/event-4634.png
new file mode 100644
index 0000000000..e014592cc8
Binary files /dev/null and b/windows/keep-secure/images/event-4634.png differ
diff --git a/windows/keep-secure/images/event-4647.png b/windows/keep-secure/images/event-4647.png
new file mode 100644
index 0000000000..f11ddf8996
Binary files /dev/null and b/windows/keep-secure/images/event-4647.png differ
diff --git a/windows/keep-secure/images/event-4648.png b/windows/keep-secure/images/event-4648.png
new file mode 100644
index 0000000000..54721193e7
Binary files /dev/null and b/windows/keep-secure/images/event-4648.png differ
diff --git a/windows/keep-secure/images/event-4656.png b/windows/keep-secure/images/event-4656.png
new file mode 100644
index 0000000000..aba3b592a8
Binary files /dev/null and b/windows/keep-secure/images/event-4656.png differ
diff --git a/windows/keep-secure/images/event-4657.png b/windows/keep-secure/images/event-4657.png
new file mode 100644
index 0000000000..4b0ffbad21
Binary files /dev/null and b/windows/keep-secure/images/event-4657.png differ
diff --git a/windows/keep-secure/images/event-4658.png b/windows/keep-secure/images/event-4658.png
new file mode 100644
index 0000000000..7bf584e4f4
Binary files /dev/null and b/windows/keep-secure/images/event-4658.png differ
diff --git a/windows/keep-secure/images/event-4660.png b/windows/keep-secure/images/event-4660.png
new file mode 100644
index 0000000000..55c57de435
Binary files /dev/null and b/windows/keep-secure/images/event-4660.png differ
diff --git a/windows/keep-secure/images/event-4661.png b/windows/keep-secure/images/event-4661.png
new file mode 100644
index 0000000000..f2b6f57b5b
Binary files /dev/null and b/windows/keep-secure/images/event-4661.png differ
diff --git a/windows/keep-secure/images/event-4662.png b/windows/keep-secure/images/event-4662.png
new file mode 100644
index 0000000000..d2d50bda5a
Binary files /dev/null and b/windows/keep-secure/images/event-4662.png differ
diff --git a/windows/keep-secure/images/event-4663.png b/windows/keep-secure/images/event-4663.png
new file mode 100644
index 0000000000..13629253a0
Binary files /dev/null and b/windows/keep-secure/images/event-4663.png differ
diff --git a/windows/keep-secure/images/event-4664.png b/windows/keep-secure/images/event-4664.png
new file mode 100644
index 0000000000..07b9624fdf
Binary files /dev/null and b/windows/keep-secure/images/event-4664.png differ
diff --git a/windows/keep-secure/images/event-4670.png b/windows/keep-secure/images/event-4670.png
new file mode 100644
index 0000000000..664fdca981
Binary files /dev/null and b/windows/keep-secure/images/event-4670.png differ
diff --git a/windows/keep-secure/images/event-4672.png b/windows/keep-secure/images/event-4672.png
new file mode 100644
index 0000000000..12a54cb1a8
Binary files /dev/null and b/windows/keep-secure/images/event-4672.png differ
diff --git a/windows/keep-secure/images/event-4673.png b/windows/keep-secure/images/event-4673.png
new file mode 100644
index 0000000000..ac773069eb
Binary files /dev/null and b/windows/keep-secure/images/event-4673.png differ
diff --git a/windows/keep-secure/images/event-4674.png b/windows/keep-secure/images/event-4674.png
new file mode 100644
index 0000000000..a10eaaa6f7
Binary files /dev/null and b/windows/keep-secure/images/event-4674.png differ
diff --git a/windows/keep-secure/images/event-4688.png b/windows/keep-secure/images/event-4688.png
new file mode 100644
index 0000000000..5ce471eda2
Binary files /dev/null and b/windows/keep-secure/images/event-4688.png differ
diff --git a/windows/keep-secure/images/event-4689.png b/windows/keep-secure/images/event-4689.png
new file mode 100644
index 0000000000..1c80bf5428
Binary files /dev/null and b/windows/keep-secure/images/event-4689.png differ
diff --git a/windows/keep-secure/images/event-4690.png b/windows/keep-secure/images/event-4690.png
new file mode 100644
index 0000000000..400c1aa7df
Binary files /dev/null and b/windows/keep-secure/images/event-4690.png differ
diff --git a/windows/keep-secure/images/event-4691.png b/windows/keep-secure/images/event-4691.png
new file mode 100644
index 0000000000..8b5563f136
Binary files /dev/null and b/windows/keep-secure/images/event-4691.png differ
diff --git a/windows/keep-secure/images/event-4692.png b/windows/keep-secure/images/event-4692.png
new file mode 100644
index 0000000000..a26a483b4e
Binary files /dev/null and b/windows/keep-secure/images/event-4692.png differ
diff --git a/windows/keep-secure/images/event-4693.png b/windows/keep-secure/images/event-4693.png
new file mode 100644
index 0000000000..6180d34954
Binary files /dev/null and b/windows/keep-secure/images/event-4693.png differ
diff --git a/windows/keep-secure/images/event-4696.png b/windows/keep-secure/images/event-4696.png
new file mode 100644
index 0000000000..1169b0e437
Binary files /dev/null and b/windows/keep-secure/images/event-4696.png differ
diff --git a/windows/keep-secure/images/event-4697.png b/windows/keep-secure/images/event-4697.png
new file mode 100644
index 0000000000..4cafd71282
Binary files /dev/null and b/windows/keep-secure/images/event-4697.png differ
diff --git a/windows/keep-secure/images/event-4698.png b/windows/keep-secure/images/event-4698.png
new file mode 100644
index 0000000000..d8c35fc625
Binary files /dev/null and b/windows/keep-secure/images/event-4698.png differ
diff --git a/windows/keep-secure/images/event-4699.png b/windows/keep-secure/images/event-4699.png
new file mode 100644
index 0000000000..5e11312a32
Binary files /dev/null and b/windows/keep-secure/images/event-4699.png differ
diff --git a/windows/keep-secure/images/event-4700.png b/windows/keep-secure/images/event-4700.png
new file mode 100644
index 0000000000..922b70cbbb
Binary files /dev/null and b/windows/keep-secure/images/event-4700.png differ
diff --git a/windows/keep-secure/images/event-4701.png b/windows/keep-secure/images/event-4701.png
new file mode 100644
index 0000000000..71d9ba8d82
Binary files /dev/null and b/windows/keep-secure/images/event-4701.png differ
diff --git a/windows/keep-secure/images/event-4702.png b/windows/keep-secure/images/event-4702.png
new file mode 100644
index 0000000000..58b66921ff
Binary files /dev/null and b/windows/keep-secure/images/event-4702.png differ
diff --git a/windows/keep-secure/images/event-4703-partial.png b/windows/keep-secure/images/event-4703-partial.png
new file mode 100644
index 0000000000..61df0471f9
Binary files /dev/null and b/windows/keep-secure/images/event-4703-partial.png differ
diff --git a/windows/keep-secure/images/event-4703.png b/windows/keep-secure/images/event-4703.png
new file mode 100644
index 0000000000..2ddb6584cd
Binary files /dev/null and b/windows/keep-secure/images/event-4703.png differ
diff --git a/windows/keep-secure/images/event-4704.png b/windows/keep-secure/images/event-4704.png
new file mode 100644
index 0000000000..a12b3d0e8e
Binary files /dev/null and b/windows/keep-secure/images/event-4704.png differ
diff --git a/windows/keep-secure/images/event-4705.png b/windows/keep-secure/images/event-4705.png
new file mode 100644
index 0000000000..fbea053355
Binary files /dev/null and b/windows/keep-secure/images/event-4705.png differ
diff --git a/windows/keep-secure/images/event-4706.png b/windows/keep-secure/images/event-4706.png
new file mode 100644
index 0000000000..d692c6de11
Binary files /dev/null and b/windows/keep-secure/images/event-4706.png differ
diff --git a/windows/keep-secure/images/event-4707.png b/windows/keep-secure/images/event-4707.png
new file mode 100644
index 0000000000..455e4aea5c
Binary files /dev/null and b/windows/keep-secure/images/event-4707.png differ
diff --git a/windows/keep-secure/images/event-4713.png b/windows/keep-secure/images/event-4713.png
new file mode 100644
index 0000000000..a5577751f2
Binary files /dev/null and b/windows/keep-secure/images/event-4713.png differ
diff --git a/windows/keep-secure/images/event-4714.png b/windows/keep-secure/images/event-4714.png
new file mode 100644
index 0000000000..b7aba8b550
Binary files /dev/null and b/windows/keep-secure/images/event-4714.png differ
diff --git a/windows/keep-secure/images/event-4715.png b/windows/keep-secure/images/event-4715.png
new file mode 100644
index 0000000000..d61cdf4bee
Binary files /dev/null and b/windows/keep-secure/images/event-4715.png differ
diff --git a/windows/keep-secure/images/event-4716.png b/windows/keep-secure/images/event-4716.png
new file mode 100644
index 0000000000..34b7456f04
Binary files /dev/null and b/windows/keep-secure/images/event-4716.png differ
diff --git a/windows/keep-secure/images/event-4717.png b/windows/keep-secure/images/event-4717.png
new file mode 100644
index 0000000000..2ada59cc59
Binary files /dev/null and b/windows/keep-secure/images/event-4717.png differ
diff --git a/windows/keep-secure/images/event-4718.png b/windows/keep-secure/images/event-4718.png
new file mode 100644
index 0000000000..1cfddd3e3b
Binary files /dev/null and b/windows/keep-secure/images/event-4718.png differ
diff --git a/windows/keep-secure/images/event-4719.png b/windows/keep-secure/images/event-4719.png
new file mode 100644
index 0000000000..4cc7540a6c
Binary files /dev/null and b/windows/keep-secure/images/event-4719.png differ
diff --git a/windows/keep-secure/images/event-4720.png b/windows/keep-secure/images/event-4720.png
new file mode 100644
index 0000000000..d5c0d35986
Binary files /dev/null and b/windows/keep-secure/images/event-4720.png differ
diff --git a/windows/keep-secure/images/event-4722.png b/windows/keep-secure/images/event-4722.png
new file mode 100644
index 0000000000..0796375b65
Binary files /dev/null and b/windows/keep-secure/images/event-4722.png differ
diff --git a/windows/keep-secure/images/event-4723.png b/windows/keep-secure/images/event-4723.png
new file mode 100644
index 0000000000..e8f55a4cf3
Binary files /dev/null and b/windows/keep-secure/images/event-4723.png differ
diff --git a/windows/keep-secure/images/event-4724.png b/windows/keep-secure/images/event-4724.png
new file mode 100644
index 0000000000..d51ee410e3
Binary files /dev/null and b/windows/keep-secure/images/event-4724.png differ
diff --git a/windows/keep-secure/images/event-4725.png b/windows/keep-secure/images/event-4725.png
new file mode 100644
index 0000000000..961f810c35
Binary files /dev/null and b/windows/keep-secure/images/event-4725.png differ
diff --git a/windows/keep-secure/images/event-4726.png b/windows/keep-secure/images/event-4726.png
new file mode 100644
index 0000000000..6bcdae24fb
Binary files /dev/null and b/windows/keep-secure/images/event-4726.png differ
diff --git a/windows/keep-secure/images/event-4731.png b/windows/keep-secure/images/event-4731.png
new file mode 100644
index 0000000000..3547a1397c
Binary files /dev/null and b/windows/keep-secure/images/event-4731.png differ
diff --git a/windows/keep-secure/images/event-4732.png b/windows/keep-secure/images/event-4732.png
new file mode 100644
index 0000000000..62cdd84ef7
Binary files /dev/null and b/windows/keep-secure/images/event-4732.png differ
diff --git a/windows/keep-secure/images/event-4733.png b/windows/keep-secure/images/event-4733.png
new file mode 100644
index 0000000000..7ebc924898
Binary files /dev/null and b/windows/keep-secure/images/event-4733.png differ
diff --git a/windows/keep-secure/images/event-4734.png b/windows/keep-secure/images/event-4734.png
new file mode 100644
index 0000000000..4df94214f8
Binary files /dev/null and b/windows/keep-secure/images/event-4734.png differ
diff --git a/windows/keep-secure/images/event-4735.png b/windows/keep-secure/images/event-4735.png
new file mode 100644
index 0000000000..dc3fbe0f84
Binary files /dev/null and b/windows/keep-secure/images/event-4735.png differ
diff --git a/windows/keep-secure/images/event-4738.png b/windows/keep-secure/images/event-4738.png
new file mode 100644
index 0000000000..3b540b816e
Binary files /dev/null and b/windows/keep-secure/images/event-4738.png differ
diff --git a/windows/keep-secure/images/event-4739.png b/windows/keep-secure/images/event-4739.png
new file mode 100644
index 0000000000..5fb89bb560
Binary files /dev/null and b/windows/keep-secure/images/event-4739.png differ
diff --git a/windows/keep-secure/images/event-4740.png b/windows/keep-secure/images/event-4740.png
new file mode 100644
index 0000000000..19d652dac4
Binary files /dev/null and b/windows/keep-secure/images/event-4740.png differ
diff --git a/windows/keep-secure/images/event-4741.png b/windows/keep-secure/images/event-4741.png
new file mode 100644
index 0000000000..b06a01a83e
Binary files /dev/null and b/windows/keep-secure/images/event-4741.png differ
diff --git a/windows/keep-secure/images/event-4742.png b/windows/keep-secure/images/event-4742.png
new file mode 100644
index 0000000000..8922eb978b
Binary files /dev/null and b/windows/keep-secure/images/event-4742.png differ
diff --git a/windows/keep-secure/images/event-4743.png b/windows/keep-secure/images/event-4743.png
new file mode 100644
index 0000000000..1225c25c02
Binary files /dev/null and b/windows/keep-secure/images/event-4743.png differ
diff --git a/windows/keep-secure/images/event-4749.png b/windows/keep-secure/images/event-4749.png
new file mode 100644
index 0000000000..fad8e00ade
Binary files /dev/null and b/windows/keep-secure/images/event-4749.png differ
diff --git a/windows/keep-secure/images/event-4750.png b/windows/keep-secure/images/event-4750.png
new file mode 100644
index 0000000000..08d0b6c848
Binary files /dev/null and b/windows/keep-secure/images/event-4750.png differ
diff --git a/windows/keep-secure/images/event-4751.png b/windows/keep-secure/images/event-4751.png
new file mode 100644
index 0000000000..d9fd6c7928
Binary files /dev/null and b/windows/keep-secure/images/event-4751.png differ
diff --git a/windows/keep-secure/images/event-4752.png b/windows/keep-secure/images/event-4752.png
new file mode 100644
index 0000000000..3464cca5a3
Binary files /dev/null and b/windows/keep-secure/images/event-4752.png differ
diff --git a/windows/keep-secure/images/event-4753.png b/windows/keep-secure/images/event-4753.png
new file mode 100644
index 0000000000..41ee823086
Binary files /dev/null and b/windows/keep-secure/images/event-4753.png differ
diff --git a/windows/keep-secure/images/event-4764.png b/windows/keep-secure/images/event-4764.png
new file mode 100644
index 0000000000..5c376a7176
Binary files /dev/null and b/windows/keep-secure/images/event-4764.png differ
diff --git a/windows/keep-secure/images/event-4767.png b/windows/keep-secure/images/event-4767.png
new file mode 100644
index 0000000000..bb3c9a8524
Binary files /dev/null and b/windows/keep-secure/images/event-4767.png differ
diff --git a/windows/keep-secure/images/event-4768.png b/windows/keep-secure/images/event-4768.png
new file mode 100644
index 0000000000..6150806515
Binary files /dev/null and b/windows/keep-secure/images/event-4768.png differ
diff --git a/windows/keep-secure/images/event-4769.png b/windows/keep-secure/images/event-4769.png
new file mode 100644
index 0000000000..ad96b8df58
Binary files /dev/null and b/windows/keep-secure/images/event-4769.png differ
diff --git a/windows/keep-secure/images/event-4770.png b/windows/keep-secure/images/event-4770.png
new file mode 100644
index 0000000000..e780578ec3
Binary files /dev/null and b/windows/keep-secure/images/event-4770.png differ
diff --git a/windows/keep-secure/images/event-4771.png b/windows/keep-secure/images/event-4771.png
new file mode 100644
index 0000000000..b87ef7dc23
Binary files /dev/null and b/windows/keep-secure/images/event-4771.png differ
diff --git a/windows/keep-secure/images/event-4776.png b/windows/keep-secure/images/event-4776.png
new file mode 100644
index 0000000000..b0ffefdee9
Binary files /dev/null and b/windows/keep-secure/images/event-4776.png differ
diff --git a/windows/keep-secure/images/event-4778.png b/windows/keep-secure/images/event-4778.png
new file mode 100644
index 0000000000..0888c950de
Binary files /dev/null and b/windows/keep-secure/images/event-4778.png differ
diff --git a/windows/keep-secure/images/event-4779.png b/windows/keep-secure/images/event-4779.png
new file mode 100644
index 0000000000..f578cdd53f
Binary files /dev/null and b/windows/keep-secure/images/event-4779.png differ
diff --git a/windows/keep-secure/images/event-4781.png b/windows/keep-secure/images/event-4781.png
new file mode 100644
index 0000000000..f344879f9d
Binary files /dev/null and b/windows/keep-secure/images/event-4781.png differ
diff --git a/windows/keep-secure/images/event-4782.png b/windows/keep-secure/images/event-4782.png
new file mode 100644
index 0000000000..3f2822bf9c
Binary files /dev/null and b/windows/keep-secure/images/event-4782.png differ
diff --git a/windows/keep-secure/images/event-4793.png b/windows/keep-secure/images/event-4793.png
new file mode 100644
index 0000000000..2def52c754
Binary files /dev/null and b/windows/keep-secure/images/event-4793.png differ
diff --git a/windows/keep-secure/images/event-4794.png b/windows/keep-secure/images/event-4794.png
new file mode 100644
index 0000000000..08b15adb1e
Binary files /dev/null and b/windows/keep-secure/images/event-4794.png differ
diff --git a/windows/keep-secure/images/event-4798.png b/windows/keep-secure/images/event-4798.png
new file mode 100644
index 0000000000..727cf0ce90
Binary files /dev/null and b/windows/keep-secure/images/event-4798.png differ
diff --git a/windows/keep-secure/images/event-4799.png b/windows/keep-secure/images/event-4799.png
new file mode 100644
index 0000000000..2bbb69f812
Binary files /dev/null and b/windows/keep-secure/images/event-4799.png differ
diff --git a/windows/keep-secure/images/event-4800.png b/windows/keep-secure/images/event-4800.png
new file mode 100644
index 0000000000..e7354b3995
Binary files /dev/null and b/windows/keep-secure/images/event-4800.png differ
diff --git a/windows/keep-secure/images/event-4801.png b/windows/keep-secure/images/event-4801.png
new file mode 100644
index 0000000000..695e124a94
Binary files /dev/null and b/windows/keep-secure/images/event-4801.png differ
diff --git a/windows/keep-secure/images/event-4802.png b/windows/keep-secure/images/event-4802.png
new file mode 100644
index 0000000000..1225e2c79f
Binary files /dev/null and b/windows/keep-secure/images/event-4802.png differ
diff --git a/windows/keep-secure/images/event-4803.png b/windows/keep-secure/images/event-4803.png
new file mode 100644
index 0000000000..677663e56a
Binary files /dev/null and b/windows/keep-secure/images/event-4803.png differ
diff --git a/windows/keep-secure/images/event-4817.png b/windows/keep-secure/images/event-4817.png
new file mode 100644
index 0000000000..4d71e12ad1
Binary files /dev/null and b/windows/keep-secure/images/event-4817.png differ
diff --git a/windows/keep-secure/images/event-4818.png b/windows/keep-secure/images/event-4818.png
new file mode 100644
index 0000000000..65c049a552
Binary files /dev/null and b/windows/keep-secure/images/event-4818.png differ
diff --git a/windows/keep-secure/images/event-4819.png b/windows/keep-secure/images/event-4819.png
new file mode 100644
index 0000000000..7f56089668
Binary files /dev/null and b/windows/keep-secure/images/event-4819.png differ
diff --git a/windows/keep-secure/images/event-4826.png b/windows/keep-secure/images/event-4826.png
new file mode 100644
index 0000000000..326f7a2a02
Binary files /dev/null and b/windows/keep-secure/images/event-4826.png differ
diff --git a/windows/keep-secure/images/event-4865.png b/windows/keep-secure/images/event-4865.png
new file mode 100644
index 0000000000..ddbe9a6034
Binary files /dev/null and b/windows/keep-secure/images/event-4865.png differ
diff --git a/windows/keep-secure/images/event-4866.png b/windows/keep-secure/images/event-4866.png
new file mode 100644
index 0000000000..2015250a48
Binary files /dev/null and b/windows/keep-secure/images/event-4866.png differ
diff --git a/windows/keep-secure/images/event-4867.png b/windows/keep-secure/images/event-4867.png
new file mode 100644
index 0000000000..0f0b6c0662
Binary files /dev/null and b/windows/keep-secure/images/event-4867.png differ
diff --git a/windows/keep-secure/images/event-4902.png b/windows/keep-secure/images/event-4902.png
new file mode 100644
index 0000000000..9df8c87ecd
Binary files /dev/null and b/windows/keep-secure/images/event-4902.png differ
diff --git a/windows/keep-secure/images/event-4904.png b/windows/keep-secure/images/event-4904.png
new file mode 100644
index 0000000000..016ebf2d95
Binary files /dev/null and b/windows/keep-secure/images/event-4904.png differ
diff --git a/windows/keep-secure/images/event-4905.png b/windows/keep-secure/images/event-4905.png
new file mode 100644
index 0000000000..1366e366ef
Binary files /dev/null and b/windows/keep-secure/images/event-4905.png differ
diff --git a/windows/keep-secure/images/event-4906.png b/windows/keep-secure/images/event-4906.png
new file mode 100644
index 0000000000..043d6827aa
Binary files /dev/null and b/windows/keep-secure/images/event-4906.png differ
diff --git a/windows/keep-secure/images/event-4907.png b/windows/keep-secure/images/event-4907.png
new file mode 100644
index 0000000000..d29b170401
Binary files /dev/null and b/windows/keep-secure/images/event-4907.png differ
diff --git a/windows/keep-secure/images/event-4908.png b/windows/keep-secure/images/event-4908.png
new file mode 100644
index 0000000000..523cb84a9b
Binary files /dev/null and b/windows/keep-secure/images/event-4908.png differ
diff --git a/windows/keep-secure/images/event-4911.png b/windows/keep-secure/images/event-4911.png
new file mode 100644
index 0000000000..bfc3830df3
Binary files /dev/null and b/windows/keep-secure/images/event-4911.png differ
diff --git a/windows/keep-secure/images/event-4912.png b/windows/keep-secure/images/event-4912.png
new file mode 100644
index 0000000000..9a01e1273e
Binary files /dev/null and b/windows/keep-secure/images/event-4912.png differ
diff --git a/windows/keep-secure/images/event-4913.png b/windows/keep-secure/images/event-4913.png
new file mode 100644
index 0000000000..a2657ec645
Binary files /dev/null and b/windows/keep-secure/images/event-4913.png differ
diff --git a/windows/keep-secure/images/event-4928.png b/windows/keep-secure/images/event-4928.png
new file mode 100644
index 0000000000..8c0ad8368a
Binary files /dev/null and b/windows/keep-secure/images/event-4928.png differ
diff --git a/windows/keep-secure/images/event-4929.png b/windows/keep-secure/images/event-4929.png
new file mode 100644
index 0000000000..380b52aaee
Binary files /dev/null and b/windows/keep-secure/images/event-4929.png differ
diff --git a/windows/keep-secure/images/event-4930.png b/windows/keep-secure/images/event-4930.png
new file mode 100644
index 0000000000..9c28a8f677
Binary files /dev/null and b/windows/keep-secure/images/event-4930.png differ
diff --git a/windows/keep-secure/images/event-4931.png b/windows/keep-secure/images/event-4931.png
new file mode 100644
index 0000000000..fb7add47fc
Binary files /dev/null and b/windows/keep-secure/images/event-4931.png differ
diff --git a/windows/keep-secure/images/event-4932.png b/windows/keep-secure/images/event-4932.png
new file mode 100644
index 0000000000..5086bed8e7
Binary files /dev/null and b/windows/keep-secure/images/event-4932.png differ
diff --git a/windows/keep-secure/images/event-4933.png b/windows/keep-secure/images/event-4933.png
new file mode 100644
index 0000000000..49456d0e08
Binary files /dev/null and b/windows/keep-secure/images/event-4933.png differ
diff --git a/windows/keep-secure/images/event-4935.png b/windows/keep-secure/images/event-4935.png
new file mode 100644
index 0000000000..7a1c8a85ab
Binary files /dev/null and b/windows/keep-secure/images/event-4935.png differ
diff --git a/windows/keep-secure/images/event-4944.png b/windows/keep-secure/images/event-4944.png
new file mode 100644
index 0000000000..8c05133463
Binary files /dev/null and b/windows/keep-secure/images/event-4944.png differ
diff --git a/windows/keep-secure/images/event-4945.png b/windows/keep-secure/images/event-4945.png
new file mode 100644
index 0000000000..a3828ba271
Binary files /dev/null and b/windows/keep-secure/images/event-4945.png differ
diff --git a/windows/keep-secure/images/event-4946.png b/windows/keep-secure/images/event-4946.png
new file mode 100644
index 0000000000..d06ba42b67
Binary files /dev/null and b/windows/keep-secure/images/event-4946.png differ
diff --git a/windows/keep-secure/images/event-4947.png b/windows/keep-secure/images/event-4947.png
new file mode 100644
index 0000000000..ba67a44c7c
Binary files /dev/null and b/windows/keep-secure/images/event-4947.png differ
diff --git a/windows/keep-secure/images/event-4948.png b/windows/keep-secure/images/event-4948.png
new file mode 100644
index 0000000000..b956769c0a
Binary files /dev/null and b/windows/keep-secure/images/event-4948.png differ
diff --git a/windows/keep-secure/images/event-4949.png b/windows/keep-secure/images/event-4949.png
new file mode 100644
index 0000000000..c60530df7f
Binary files /dev/null and b/windows/keep-secure/images/event-4949.png differ
diff --git a/windows/keep-secure/images/event-4950.png b/windows/keep-secure/images/event-4950.png
new file mode 100644
index 0000000000..fcf6504a6b
Binary files /dev/null and b/windows/keep-secure/images/event-4950.png differ
diff --git a/windows/keep-secure/images/event-4951.png b/windows/keep-secure/images/event-4951.png
new file mode 100644
index 0000000000..164e6bc717
Binary files /dev/null and b/windows/keep-secure/images/event-4951.png differ
diff --git a/windows/keep-secure/images/event-4953.png b/windows/keep-secure/images/event-4953.png
new file mode 100644
index 0000000000..438e9bf324
Binary files /dev/null and b/windows/keep-secure/images/event-4953.png differ
diff --git a/windows/keep-secure/images/event-4954.png b/windows/keep-secure/images/event-4954.png
new file mode 100644
index 0000000000..33f6da3866
Binary files /dev/null and b/windows/keep-secure/images/event-4954.png differ
diff --git a/windows/keep-secure/images/event-4956.png b/windows/keep-secure/images/event-4956.png
new file mode 100644
index 0000000000..fad74aef48
Binary files /dev/null and b/windows/keep-secure/images/event-4956.png differ
diff --git a/windows/keep-secure/images/event-4957.png b/windows/keep-secure/images/event-4957.png
new file mode 100644
index 0000000000..8805c6964b
Binary files /dev/null and b/windows/keep-secure/images/event-4957.png differ
diff --git a/windows/keep-secure/images/event-4964.png b/windows/keep-secure/images/event-4964.png
new file mode 100644
index 0000000000..13dd095a3f
Binary files /dev/null and b/windows/keep-secure/images/event-4964.png differ
diff --git a/windows/keep-secure/images/event-4985.png b/windows/keep-secure/images/event-4985.png
new file mode 100644
index 0000000000..f182c22d48
Binary files /dev/null and b/windows/keep-secure/images/event-4985.png differ
diff --git a/windows/keep-secure/images/event-5024.png b/windows/keep-secure/images/event-5024.png
new file mode 100644
index 0000000000..900efa51c7
Binary files /dev/null and b/windows/keep-secure/images/event-5024.png differ
diff --git a/windows/keep-secure/images/event-5025.png b/windows/keep-secure/images/event-5025.png
new file mode 100644
index 0000000000..1af6e5594c
Binary files /dev/null and b/windows/keep-secure/images/event-5025.png differ
diff --git a/windows/keep-secure/images/event-5027.png b/windows/keep-secure/images/event-5027.png
new file mode 100644
index 0000000000..30f8e9887e
Binary files /dev/null and b/windows/keep-secure/images/event-5027.png differ
diff --git a/windows/keep-secure/images/event-5028.png b/windows/keep-secure/images/event-5028.png
new file mode 100644
index 0000000000..c4fffb4a49
Binary files /dev/null and b/windows/keep-secure/images/event-5028.png differ
diff --git a/windows/keep-secure/images/event-5031.png b/windows/keep-secure/images/event-5031.png
new file mode 100644
index 0000000000..854c827ce8
Binary files /dev/null and b/windows/keep-secure/images/event-5031.png differ
diff --git a/windows/keep-secure/images/event-5033.png b/windows/keep-secure/images/event-5033.png
new file mode 100644
index 0000000000..d8eaad7cef
Binary files /dev/null and b/windows/keep-secure/images/event-5033.png differ
diff --git a/windows/keep-secure/images/event-5034.png b/windows/keep-secure/images/event-5034.png
new file mode 100644
index 0000000000..2b3d8464da
Binary files /dev/null and b/windows/keep-secure/images/event-5034.png differ
diff --git a/windows/keep-secure/images/event-5058.png b/windows/keep-secure/images/event-5058.png
new file mode 100644
index 0000000000..9cc4569845
Binary files /dev/null and b/windows/keep-secure/images/event-5058.png differ
diff --git a/windows/keep-secure/images/event-5059.png b/windows/keep-secure/images/event-5059.png
new file mode 100644
index 0000000000..5896afdaa5
Binary files /dev/null and b/windows/keep-secure/images/event-5059.png differ
diff --git a/windows/keep-secure/images/event-5061.png b/windows/keep-secure/images/event-5061.png
new file mode 100644
index 0000000000..dd953b85be
Binary files /dev/null and b/windows/keep-secure/images/event-5061.png differ
diff --git a/windows/keep-secure/images/event-5136.png b/windows/keep-secure/images/event-5136.png
new file mode 100644
index 0000000000..e1b8a249fd
Binary files /dev/null and b/windows/keep-secure/images/event-5136.png differ
diff --git a/windows/keep-secure/images/event-5137.png b/windows/keep-secure/images/event-5137.png
new file mode 100644
index 0000000000..423a9e4e9c
Binary files /dev/null and b/windows/keep-secure/images/event-5137.png differ
diff --git a/windows/keep-secure/images/event-5138.png b/windows/keep-secure/images/event-5138.png
new file mode 100644
index 0000000000..fee3c30140
Binary files /dev/null and b/windows/keep-secure/images/event-5138.png differ
diff --git a/windows/keep-secure/images/event-5139.png b/windows/keep-secure/images/event-5139.png
new file mode 100644
index 0000000000..f4966fa100
Binary files /dev/null and b/windows/keep-secure/images/event-5139.png differ
diff --git a/windows/keep-secure/images/event-5140.png b/windows/keep-secure/images/event-5140.png
new file mode 100644
index 0000000000..927285b3cb
Binary files /dev/null and b/windows/keep-secure/images/event-5140.png differ
diff --git a/windows/keep-secure/images/event-5141.png b/windows/keep-secure/images/event-5141.png
new file mode 100644
index 0000000000..350ca4e5bf
Binary files /dev/null and b/windows/keep-secure/images/event-5141.png differ
diff --git a/windows/keep-secure/images/event-5142.png b/windows/keep-secure/images/event-5142.png
new file mode 100644
index 0000000000..c2fffdf288
Binary files /dev/null and b/windows/keep-secure/images/event-5142.png differ
diff --git a/windows/keep-secure/images/event-5143.png b/windows/keep-secure/images/event-5143.png
new file mode 100644
index 0000000000..c301bde59d
Binary files /dev/null and b/windows/keep-secure/images/event-5143.png differ
diff --git a/windows/keep-secure/images/event-5144.png b/windows/keep-secure/images/event-5144.png
new file mode 100644
index 0000000000..96a6176367
Binary files /dev/null and b/windows/keep-secure/images/event-5144.png differ
diff --git a/windows/keep-secure/images/event-5145.png b/windows/keep-secure/images/event-5145.png
new file mode 100644
index 0000000000..73c1364328
Binary files /dev/null and b/windows/keep-secure/images/event-5145.png differ
diff --git a/windows/keep-secure/images/event-5152.png b/windows/keep-secure/images/event-5152.png
new file mode 100644
index 0000000000..2f06bab5b4
Binary files /dev/null and b/windows/keep-secure/images/event-5152.png differ
diff --git a/windows/keep-secure/images/event-5154.png b/windows/keep-secure/images/event-5154.png
new file mode 100644
index 0000000000..1ee4716063
Binary files /dev/null and b/windows/keep-secure/images/event-5154.png differ
diff --git a/windows/keep-secure/images/event-5156.png b/windows/keep-secure/images/event-5156.png
new file mode 100644
index 0000000000..93ac25973a
Binary files /dev/null and b/windows/keep-secure/images/event-5156.png differ
diff --git a/windows/keep-secure/images/event-5157.png b/windows/keep-secure/images/event-5157.png
new file mode 100644
index 0000000000..d44c2b5188
Binary files /dev/null and b/windows/keep-secure/images/event-5157.png differ
diff --git a/windows/keep-secure/images/event-5158.png b/windows/keep-secure/images/event-5158.png
new file mode 100644
index 0000000000..65b65085d3
Binary files /dev/null and b/windows/keep-secure/images/event-5158.png differ
diff --git a/windows/keep-secure/images/event-5168.png b/windows/keep-secure/images/event-5168.png
new file mode 100644
index 0000000000..509000797f
Binary files /dev/null and b/windows/keep-secure/images/event-5168.png differ
diff --git a/windows/keep-secure/images/event-5376.png b/windows/keep-secure/images/event-5376.png
new file mode 100644
index 0000000000..b439b4ee5b
Binary files /dev/null and b/windows/keep-secure/images/event-5376.png differ
diff --git a/windows/keep-secure/images/event-5377.png b/windows/keep-secure/images/event-5377.png
new file mode 100644
index 0000000000..061f81ce3c
Binary files /dev/null and b/windows/keep-secure/images/event-5377.png differ
diff --git a/windows/keep-secure/images/event-5378.png b/windows/keep-secure/images/event-5378.png
new file mode 100644
index 0000000000..d89a1a40dd
Binary files /dev/null and b/windows/keep-secure/images/event-5378.png differ
diff --git a/windows/keep-secure/images/event-5447.png b/windows/keep-secure/images/event-5447.png
new file mode 100644
index 0000000000..97b8fd61a6
Binary files /dev/null and b/windows/keep-secure/images/event-5447.png differ
diff --git a/windows/keep-secure/images/event-5632.png b/windows/keep-secure/images/event-5632.png
new file mode 100644
index 0000000000..2d732bd578
Binary files /dev/null and b/windows/keep-secure/images/event-5632.png differ
diff --git a/windows/keep-secure/images/event-5633.png b/windows/keep-secure/images/event-5633.png
new file mode 100644
index 0000000000..a6a378c5f7
Binary files /dev/null and b/windows/keep-secure/images/event-5633.png differ
diff --git a/windows/keep-secure/images/event-5888.png b/windows/keep-secure/images/event-5888.png
new file mode 100644
index 0000000000..028ee2be06
Binary files /dev/null and b/windows/keep-secure/images/event-5888.png differ
diff --git a/windows/keep-secure/images/event-5889.png b/windows/keep-secure/images/event-5889.png
new file mode 100644
index 0000000000..2e1164bb69
Binary files /dev/null and b/windows/keep-secure/images/event-5889.png differ
diff --git a/windows/keep-secure/images/event-5890.png b/windows/keep-secure/images/event-5890.png
new file mode 100644
index 0000000000..46b9cc8e30
Binary files /dev/null and b/windows/keep-secure/images/event-5890.png differ
diff --git a/windows/keep-secure/images/event-6144.png b/windows/keep-secure/images/event-6144.png
new file mode 100644
index 0000000000..b13fba0760
Binary files /dev/null and b/windows/keep-secure/images/event-6144.png differ
diff --git a/windows/keep-secure/images/event-6145.png b/windows/keep-secure/images/event-6145.png
new file mode 100644
index 0000000000..31cca8d59e
Binary files /dev/null and b/windows/keep-secure/images/event-6145.png differ
diff --git a/windows/keep-secure/images/event-6416.png b/windows/keep-secure/images/event-6416.png
new file mode 100644
index 0000000000..d4ba5077b2
Binary files /dev/null and b/windows/keep-secure/images/event-6416.png differ
diff --git a/windows/keep-secure/images/event-6419.png b/windows/keep-secure/images/event-6419.png
new file mode 100644
index 0000000000..c1a5604016
Binary files /dev/null and b/windows/keep-secure/images/event-6419.png differ
diff --git a/windows/keep-secure/images/event-6420.png b/windows/keep-secure/images/event-6420.png
new file mode 100644
index 0000000000..546589127c
Binary files /dev/null and b/windows/keep-secure/images/event-6420.png differ
diff --git a/windows/keep-secure/images/event-6421.png b/windows/keep-secure/images/event-6421.png
new file mode 100644
index 0000000000..a3cbe78e3c
Binary files /dev/null and b/windows/keep-secure/images/event-6421.png differ
diff --git a/windows/keep-secure/images/event-6422.png b/windows/keep-secure/images/event-6422.png
new file mode 100644
index 0000000000..74b1575dae
Binary files /dev/null and b/windows/keep-secure/images/event-6422.png differ
diff --git a/windows/keep-secure/images/event-6423.png b/windows/keep-secure/images/event-6423.png
new file mode 100644
index 0000000000..dc383d254e
Binary files /dev/null and b/windows/keep-secure/images/event-6423.png differ
diff --git a/windows/keep-secure/images/filters-xml-file.png b/windows/keep-secure/images/filters-xml-file.png
new file mode 100644
index 0000000000..9a35082fd7
Binary files /dev/null and b/windows/keep-secure/images/filters-xml-file.png differ
diff --git a/windows/keep-secure/images/firewall-settings-public-profile.png b/windows/keep-secure/images/firewall-settings-public-profile.png
new file mode 100644
index 0000000000..fc4ac0b4c6
Binary files /dev/null and b/windows/keep-secure/images/firewall-settings-public-profile.png differ
diff --git a/windows/keep-secure/images/group-policy-editor.png b/windows/keep-secure/images/group-policy-editor.png
new file mode 100644
index 0000000000..361e4c3943
Binary files /dev/null and b/windows/keep-secure/images/group-policy-editor.png differ
diff --git a/windows/keep-secure/images/group-policy.png b/windows/keep-secure/images/group-policy.png
new file mode 100644
index 0000000000..aa4dd8b838
Binary files /dev/null and b/windows/keep-secure/images/group-policy.png differ
diff --git a/windows/keep-secure/images/impact-property.png b/windows/keep-secure/images/impact-property.png
new file mode 100644
index 0000000000..b65b204b68
Binary files /dev/null and b/windows/keep-secure/images/impact-property.png differ
diff --git a/windows/keep-secure/images/ipconfig-command.png b/windows/keep-secure/images/ipconfig-command.png
new file mode 100644
index 0000000000..abebb23207
Binary files /dev/null and b/windows/keep-secure/images/ipconfig-command.png differ
diff --git a/windows/keep-secure/images/logging-settings-public-profile.png b/windows/keep-secure/images/logging-settings-public-profile.png
new file mode 100644
index 0000000000..32aceb9fee
Binary files /dev/null and b/windows/keep-secure/images/logging-settings-public-profile.png differ
diff --git a/windows/keep-secure/images/msb.png b/windows/keep-secure/images/msb.png
new file mode 100644
index 0000000000..fb546a41c4
Binary files /dev/null and b/windows/keep-secure/images/msb.png differ
diff --git a/windows/keep-secure/images/net-helpmsg-58.png b/windows/keep-secure/images/net-helpmsg-58.png
new file mode 100644
index 0000000000..53f96107ea
Binary files /dev/null and b/windows/keep-secure/images/net-helpmsg-58.png differ
diff --git a/windows/keep-secure/images/netsh-advfirewall-command.png b/windows/keep-secure/images/netsh-advfirewall-command.png
new file mode 100644
index 0000000000..56d7caa0c4
Binary files /dev/null and b/windows/keep-secure/images/netsh-advfirewall-command.png differ
diff --git a/windows/keep-secure/images/netsh-command.png b/windows/keep-secure/images/netsh-command.png
new file mode 100644
index 0000000000..56d7caa0c4
Binary files /dev/null and b/windows/keep-secure/images/netsh-command.png differ
diff --git a/windows/keep-secure/images/netsh-lan-command.png b/windows/keep-secure/images/netsh-lan-command.png
new file mode 100644
index 0000000000..776bbd1bd3
Binary files /dev/null and b/windows/keep-secure/images/netsh-lan-command.png differ
diff --git a/windows/keep-secure/images/offline-settings.png b/windows/keep-secure/images/offline-settings.png
new file mode 100644
index 0000000000..f9596725c1
Binary files /dev/null and b/windows/keep-secure/images/offline-settings.png differ
diff --git a/windows/keep-secure/images/query-session.png b/windows/keep-secure/images/query-session.png
new file mode 100644
index 0000000000..7e7a29e4fc
Binary files /dev/null and b/windows/keep-secure/images/query-session.png differ
diff --git a/windows/keep-secure/images/registry-editor-audit.png b/windows/keep-secure/images/registry-editor-audit.png
new file mode 100644
index 0000000000..055863b04b
Binary files /dev/null and b/windows/keep-secure/images/registry-editor-audit.png differ
diff --git a/windows/keep-secure/images/registry-editor-firewallrules.png b/windows/keep-secure/images/registry-editor-firewallrules.png
new file mode 100644
index 0000000000..5b3c291a9a
Binary files /dev/null and b/windows/keep-secure/images/registry-editor-firewallrules.png differ
diff --git a/windows/keep-secure/images/registry-editor.png b/windows/keep-secure/images/registry-editor.png
new file mode 100644
index 0000000000..5b3c291a9a
Binary files /dev/null and b/windows/keep-secure/images/registry-editor.png differ
diff --git a/windows/keep-secure/images/schema-search.png b/windows/keep-secure/images/schema-search.png
new file mode 100644
index 0000000000..6028e60fa1
Binary files /dev/null and b/windows/keep-secure/images/schema-search.png differ
diff --git a/windows/keep-secure/images/subkeys-under-security-key.png b/windows/keep-secure/images/subkeys-under-security-key.png
new file mode 100644
index 0000000000..fdef5ec55d
Binary files /dev/null and b/windows/keep-secure/images/subkeys-under-security-key.png differ
diff --git a/windows/keep-secure/images/subtree-deletion.png b/windows/keep-secure/images/subtree-deletion.png
new file mode 100644
index 0000000000..588960f260
Binary files /dev/null and b/windows/keep-secure/images/subtree-deletion.png differ
diff --git a/windows/keep-secure/images/synaptics.png b/windows/keep-secure/images/synaptics.png
new file mode 100644
index 0000000000..2ffc025437
Binary files /dev/null and b/windows/keep-secure/images/synaptics.png differ
diff --git a/windows/keep-secure/images/synaptics1.png b/windows/keep-secure/images/synaptics1.png
new file mode 100644
index 0000000000..81716c5ad1
Binary files /dev/null and b/windows/keep-secure/images/synaptics1.png differ
diff --git a/windows/keep-secure/images/synaptics2.png b/windows/keep-secure/images/synaptics2.png
new file mode 100644
index 0000000000..2fc2d10737
Binary files /dev/null and b/windows/keep-secure/images/synaptics2.png differ
diff --git a/windows/keep-secure/images/synaptics3.png b/windows/keep-secure/images/synaptics3.png
new file mode 100644
index 0000000000..cbcb7c466a
Binary files /dev/null and b/windows/keep-secure/images/synaptics3.png differ
diff --git a/windows/keep-secure/images/synaptics4.png b/windows/keep-secure/images/synaptics4.png
new file mode 100644
index 0000000000..67bfc1f857
Binary files /dev/null and b/windows/keep-secure/images/synaptics4.png differ
diff --git a/windows/keep-secure/images/synaptics5.png b/windows/keep-secure/images/synaptics5.png
new file mode 100644
index 0000000000..4e8285a462
Binary files /dev/null and b/windows/keep-secure/images/synaptics5.png differ
diff --git a/windows/keep-secure/images/synaptics6.png b/windows/keep-secure/images/synaptics6.png
new file mode 100644
index 0000000000..79c9b3a1a2
Binary files /dev/null and b/windows/keep-secure/images/synaptics6.png differ
diff --git a/windows/keep-secure/images/synaptics7.png b/windows/keep-secure/images/synaptics7.png
new file mode 100644
index 0000000000..2ffc025437
Binary files /dev/null and b/windows/keep-secure/images/synaptics7.png differ
diff --git a/windows/keep-secure/images/task-manager.png b/windows/keep-secure/images/task-manager.png
new file mode 100644
index 0000000000..47aa593f98
Binary files /dev/null and b/windows/keep-secure/images/task-manager.png differ
diff --git a/windows/keep-secure/images/wfpstate-xml.png b/windows/keep-secure/images/wfpstate-xml.png
new file mode 100644
index 0000000000..88695f63ed
Binary files /dev/null and b/windows/keep-secure/images/wfpstate-xml.png differ
diff --git a/windows/keep-secure/images/whoami-privilege-list.png b/windows/keep-secure/images/whoami-privilege-list.png
new file mode 100644
index 0000000000..4c335aa7b5
Binary files /dev/null and b/windows/keep-secure/images/whoami-privilege-list.png differ
diff --git a/windows/keep-secure/images/windows-firewall-state-off.png b/windows/keep-secure/images/windows-firewall-state-off.png
new file mode 100644
index 0000000000..3be52d38ac
Binary files /dev/null and b/windows/keep-secure/images/windows-firewall-state-off.png differ
diff --git a/windows/keep-secure/images/windows-firewall-with-advanced-security.png b/windows/keep-secure/images/windows-firewall-with-advanced-security.png
new file mode 100644
index 0000000000..c6b59d896e
Binary files /dev/null and b/windows/keep-secure/images/windows-firewall-with-advanced-security.png differ
diff --git a/windows/keep-secure/images/windows-powershell-get-gpo.png b/windows/keep-secure/images/windows-powershell-get-gpo.png
new file mode 100644
index 0000000000..b6a818703c
Binary files /dev/null and b/windows/keep-secure/images/windows-powershell-get-gpo.png differ
diff --git a/windows/keep-secure/other-events.md b/windows/keep-secure/other-events.md
new file mode 100644
index 0000000000..020addb187
--- /dev/null
+++ b/windows/keep-secure/other-events.md
@@ -0,0 +1,31 @@
+---
+title: Other Events (Windows 10)
+description: Describes the Other Events auditing subcategory.
+ms.pagetype: security
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# Other Events
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Events in this section generate automatically and are enabled by default.
+
+**Events List:**
+
+- [1100](event-1100.md)(S): The event logging service has shut down.
+
+- [1102](event-1102.md)(S): The audit log was cleared.
+
+- [1104](event-1104.md)(S): The security log is now full.
+
+- [1105](event-1105.md)(S): Event log automatic backup.
+
+- [1108](event-1108.md)(S): The event logging service encountered an error while processing an incoming event published from %1
+