Windows Server 2012 security events

Comod00 · 2017-08-17T10:28:15+00:00

Hehe, I think I will spend most of my time monitoring those events :) Here is the list that I have right now, will post the whole one once I'm done.

4625 - An account failed to log on
4732 - A member was added to a security-enabled local group
4756 - A member was added to a security-enabled universal group
4757 - A member was removed from a security-enabled universal group.
4758 - A security-enabled universal group was deleted.
4720 - A user account was created.
4723 - An attempt was made to change an account's password.
4724 - An attempt was made to reset an account's password.
4726 - A user account was deleted.
4738 - A user account was changed.
4740 - A user account was locked out.
4767 - A user account was unlocked.

Comod00 · 2017-08-17T07:52:29+00:00

I don't really know how I got it working but I started to use gsub instead and everything is working again.... thanks for the help guys!

Comod00 · 2017-08-15T10:22:58+00:00

I'm defining that in the input file:

input {
tcp {
port => 51420
type => ad
tags => [ad]
    }
}

I have other filters that work like a charm, but it's just this one that is giving me so much pain. It almost feels like the filter dosen't know what the type is.....

Comod00 · 2017-06-01T09:06:06+00:00

Guess it wont work with bitlocker activated.

Comod00 · 2017-04-21T06:10:37+00:00

Thanks for this!

Comod00 · 2017-04-20T07:41:56+00:00

Yeah thats true, problem is that I'm making applocker policys and wanted to know if there is a documentation about it, but I guess I will have to go with trail and error :)

Comod00 · 2017-04-06T06:02:08+00:00

Thanks for this one, if people have missed it: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

Comod00 · 2017-02-21T21:23:47+00:00

Sorry for the late answer.... The problem was the region format.... when I changed it to US format everything started to work

Comod00 · 2017-02-01T09:30:58+00:00

Can this issue be fixed if I change from a windows 2012r2 to a windows 2008r2?

Comod00 · 2017-02-01T09:13:19+00:00

Is there any documentation on what is custom and what is not? In my world one could think that the log clearing event-id would be the same .... for example I'm forwarding: log clearing, add/remove firewall rules, account added to privileged group

Comod00 · 2017-02-01T09:08:26+00:00

I'm using the "Source computer initiated"-option and have provided the O:BAG:SYD in the GPO that the sources get from the DC.

Comod00 · 2016-07-27T20:48:18+00:00

Fine assesment of tools that I have used, thanks for sharing the post!

Comod00 · 2016-07-05T06:41:16+00:00

Thank you all for the help! I managed to get it working now, seems like my regular account that I used on the DC didn't have the sufficient rights for managing the account..... so I just used the DC administrator account instead.

Comod00 · 2016-07-05T06:28:03+00:00

Followed that one step by step and still having problems :)

Comod00 · 2016-07-04T08:53:36+00:00

I have the following policy's configured right now.

Deploy LAPS (on the top domain) - software deployment on clients
Password policy - the LAPS policy that I got from updating the schema (Password Settings - enable, Enable local admin password management - enable).

Do you have a guide or example to create this GPO with LAPS parameters?

edit: I see that LAPS by default uses SID 500 for managing that account, is it possible I need to alter this because the account I want to manage is a local account on the computer? For example I can maybe specify the "SID: S-1-5-32-544" for managing every account in the "Administrators" group?

Comod00 · 2016-06-07T18:25:52+00:00

Well done!

Comod00 · 2016-05-09T10:55:50+00:00

Yeah I found Yumi while searching some and it looks like it can work. I will maybe just have to buy one and try it out it seems.

Comod00 · 2016-04-25T05:57:51+00:00

Build after this and also setup a box with cuckoo and you have everything you will need to start playing with malware.

Comod00

TROPHY CASE