Comments (7)
It comes straight from https://adsecurity.org/?p=3377, chapter "Domain Controller Events to Monitor (Event Logs)"
Example, 4648 event is indicated coming from "Audit Logon" and from "Audit Other Account Logon Events".
Given my source, can you elaborate?
I don't understand given this source where the problem is.
from pingcastle.
That means adsecurity.org is wrong?
from pingcastle.
Hmm, I'll take a close look once I get the chance. The above however is based off Microsoft's documentation, so something is likely not quite right ...
from pingcastle.
So taking a look at the DC-Events spreadsheet:
- Event 4648 is listed twice with one of the two listings being the correct audit category. So yes, I think this one is a mistake. Either that, or Microsoft's documentation is wrong.
- The recommendation for Event 4908 to enable the Audit policy change category isn't "wrong", but it is redundant if the referenced advanced audit policy category is enabled. The latter is I think generally preferable due to being more fine-grained. As long as one of them is enabled, the referenced event is being recorded, so it's not a security misconfiguration.
- Same as above for the remaining three events.
from pingcastle.
Sorry, it's too late for this release.
The change are not trivial and needs some review which is incompatible with this release timeline
from pingcastle.
That's fine, it just means in some configurations audit policy detections will be incorrect. Let's leave the issue open until it's addressed in the next release?
from pingcastle.
removed for the next version the requirement to have these 3 audit policies
from pingcastle.
Related Issues (20)
- Increase points for "Check if authentication certificate templates allow users to control the subject" ? HOT 2
- GPO from forest root domain doesn't seem to be detected at child domains
- GPO Group Member/Regestry/Preference with targeting
- DHCP Admin group
- Missing Vuln Cert Template check for Domain Computers
- Question regarding TrustedToAuthenticateForDelegation
- Cannot add multiple HoneyPot Exclusions with DistinguishedName HOT 1
- runnning on AD Explorer snapshot HOT 1
- Feature Request: Add flag to specify alternate output path HOT 1
- Reported control path does not seem exploitable HOT 2
- Example Report HOT 1
- Bug: Certificate-based authentication (P12) with --azuread fails HOT 1
- BUG : AzureAD - Check if users can consent to any app HOT 1
- [Rules ] "The audit policy on domain controllers" - auditpol.exe HOT 1
- RiskRule A-DnsZoneUpdate2 finds DNS Zones that does not exist? HOT 1
- Getting error while running audit on azure ad HOT 1
- Score balancing
- A-DC-Coerce detection differences
- Windows 10 21H2 LTSC is reported as obsolete OS
- P-RODCAdminRevealed doesnt seem to be accurate.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pingcastle.