From 176d47f9a44ad5dcb1e995ab48eaa91a51eb9514 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 15:11:14 -0700 Subject: [PATCH 1/8] Fixed a table that was misbehaving --- windows/keep-secure/event-4625.md | 42 ++++++++++--------------------- 1 file changed, 13 insertions(+), 29 deletions(-) diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md index fd0c6ff848..882c481177 100644 --- a/windows/keep-secure/event-4625.md +++ b/windows/keep-secure/event-4625.md @@ -273,33 +273,17 @@ For 4625(F): An account failed to log on. - Monitor for all events with the fields and values in the following table: -| **Field** | Value to monitor for | -|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” - This is typically not a security issue but it can be an infrastructure or availability issue. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. - Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. - Especially watch for a number of such events in a row. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. - Especially watch for a number of such events in a row. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. - This is typically not a security issue but it can be an infrastructure or availability issue. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | -| **Failure Information\\Status** or - **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | +| **Field** | Value to monitor for | +|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | From 6795b252fb8a8ed371f02ecde718c30c11644893 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 15:23:31 -0700 Subject: [PATCH 2/8] Fixed fmt of "Certificate Information" items --- windows/keep-secure/event-4768.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/event-4768.md b/windows/keep-secure/event-4768.md index 57c6aa3340..f8b4558198 100644 --- a/windows/keep-secure/event-4768.md +++ b/windows/keep-secure/event-4768.md @@ -285,11 +285,11 @@ The most common values: **Certificate Information:** -> **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate. -> -> **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. -> -> **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. +- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate. + +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. + +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. ## Security Monitoring Recommendations From 7157f6770f9ee81c7c8a00ca699c2f79b2be2b63 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 15:25:16 -0700 Subject: [PATCH 3/8] Fixed fmt of "Certificate Information" items --- windows/keep-secure/event-4771.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md index a7729a39b3..ec327a9f1f 100644 --- a/windows/keep-secure/event-4771.md +++ b/windows/keep-secure/event-4771.md @@ -188,11 +188,11 @@ The most common values: **Certificate Information:** -> **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. -> -> **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. -> -> **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. +- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. + +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. + +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. ## Security Monitoring Recommendations From 6ea04c919258a056ff85f10700cd2c492b338559 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 15:36:48 -0700 Subject: [PATCH 4/8] Put missing linebrks back in Event XML --- windows/keep-secure/event-4769.md | 33 +++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md index ca3f5fef7f..20c430fa33 100644 --- a/windows/keep-secure/event-4769.md +++ b/windows/keep-secure/event-4769.md @@ -35,8 +35,37 @@ You will typically see many Failure events with **Failure Code** “**0x20**”, ***Event XML:*** ``` -- - 4769 0 0 14337 0 0x8020000000000000 166746 Security DC01.contoso.local - dadmin@CONTOSO.LOCAL CONTOSO.LOCAL WIN2008R2$ S-1-5-21-3457937927-2839227994-823803824-2102 0x40810000 0x12 ::ffff:10.0.0.12 49272 0x0 {F85C455E-C66E-205C-6B39-F6C60A7FE453} - - +- +- + +4769 +0 +0 +14337 +0 +0x8020000000000000 + +166746 + + +Security +DC01.contoso.local + + +- +dadmin@CONTOSO.LOCAL +CONTOSO.LOCAL +WIN2008R2$ +S-1-5-21-3457937927-2839227994-823803824-2102 +0x40810000 +0x12 +::ffff:10.0.0.12 +49272 +0x0 +{F85C455E-C66E-205C-6B39-F6C60A7FE453} +- + + ``` ***Required Server Roles:*** Active Directory domain controller. From d9f0263b75541d4e252dc17496fb985cc2d67eee Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 16:02:43 -0700 Subject: [PATCH 5/8] Update event-4818.md --- windows/keep-secure/event-4818.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md index d656ffb3a9..687e2cd360 100644 --- a/windows/keep-secure/event-4818.md +++ b/windows/keep-secure/event-4818.md @@ -130,11 +130,10 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy **Current Central Access Policy results:** -- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is: +- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:

+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS. -> REQUSTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS. - -- REQUSTED\_ACCESS – the name of requested access. See the possible REQUSTED\_ACCESS values in the table below: +The possible REQUESTED\_ACCESS values are listed in the table below: | Access | Hexadecimal Value | Description | |-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -176,11 +175,11 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy **Proposed Central Access Policy results that differ from the current Central Access Policy results:** -- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is: +- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:

-> REQUSTED\_ACCESS: NOT Granted by RULE\_NAME Rule. +REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule. -- REQUSTED\_ACCESS – the name of requested access. See the possible REQUSTED\_ACCESS values in the table below: +The possible REQUESTED\_ACCESS values are listed in the table below: | Access | Hexadecimal Value | Description | |-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From 26cf1f47197c98079af9f4c956283c04e51f9247 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 16:10:31 -0700 Subject: [PATCH 6/8] Fixed typo, tweaked formatting --- windows/keep-secure/event-5145.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md index b03081c706..610f24dcf5 100644 --- a/windows/keep-secure/event-5145.md +++ b/windows/keep-secure/event-5145.md @@ -157,11 +157,11 @@ This event generates every time network share object (file or folder) was access > Table 13. File access codes. -**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is: +**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:

-REQUSTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. +REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. -- REQUSTED\_ACCESS – the name of requested access (see “Table 13. File access codes.”). +- REQUESTED\_ACCESS – the name of requested access (see “Table 13. File access codes.”). - RESULT: From 30bf41d7d7a5903efbec07613417db113d45ebbb Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 16:16:06 -0700 Subject: [PATCH 7/8] Added hdg, so I can link 2 tbl of file acces codes --- windows/keep-secure/event-4818.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md index 687e2cd360..fa2b05b2e4 100644 --- a/windows/keep-secure/event-4818.md +++ b/windows/keep-secure/event-4818.md @@ -133,7 +133,9 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy - **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:

REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS. -The possible REQUESTED\_ACCESS values are listed in the table below: +The possible REQUESTED\_ACCESS values are listed in the table below. + +## Table of file access codes | Access | Hexadecimal Value | Description | |-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From 0431f53e447d3c8f47dfffc189025ca4ca37da86 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 1 Jun 2016 16:23:08 -0700 Subject: [PATCH 8/8] Added hdg above a table, then a bookmark link --- windows/keep-secure/event-5145.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md index 610f24dcf5..2eb14cec90 100644 --- a/windows/keep-secure/event-5145.md +++ b/windows/keep-secure/event-5145.md @@ -137,6 +137,8 @@ This event generates every time network share object (file or folder) was access - **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. +## Table of file access codes + | Access | Hexadecimal Value | Description | |-----------------------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | @@ -161,7 +163,7 @@ This event generates every time network share object (file or folder) was access REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. -- REQUESTED\_ACCESS – the name of requested access (see “Table 13. File access codes.”). +- REQUESTED\_ACCESS – the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic. - RESULT: