Event Monitoring

These event artifacts stream monitoring events from the endpoint. We collect these events on the server.

Windows.Events.DNSQueries

Monitor all DNS Queries and responses.

This artifact monitors all DNS queries and their responses seen on the endpoint. DNS is a critical source of information for intrusion detection and the best place to collect it is on the endpoint itself (Perimeter collection can only see DNS requests while the endpoint or laptop is inside the enterprise network).

It is recommended to collect this artifact and just archive the results. When threat intelligence emerges about a watering hole or a bad C&C you can use this archive to confirm if any of your endpoints have contacted this C&C.

Arg Default Description
whitelistRegex wpad.home We ignore DNS names that match this regex.
View Artifact Source

Windows.Events.FailedLogBeforeSuccess

Sometimes attackers will brute force an local user’s account’s password. If the account password is strong, brute force attacks are not effective and might not represent a high value event in themselves.

However, if the brute force attempt succeeds, then it is a very high value event (since brute forcing a password is typically a suspicious activity).

On the endpoint this looks like a bunch of failed logon attempts in quick succession followed by a successful login.

NOTE: In order for this artifact to work we need Windows to be logging failed account login. This is not on by default and should be enabled via group policy.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

You can set the policy in group policy managment console (gpmc): Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

Arg Default Description
securityLogFile C:/Windows/System32/Winevt/Logs/Security.evtx
failureCount 3 Alert if there are this many failures before the successful logon.
failedLogonTimeWindow 3600
View Artifact Source

Windows.Events.Kerbroasting

Description: This Artifact will monitor all successful Kerberos TGS Ticket events for Service Accounts (SPN attribute) implemented with weak encryption. These tickets are vulnerable to brute force attack and this event is an indicator of a Kerbroasting attack.

ATT&CK: T1208 - Kerbroasting Typical attacker methodology is to firstly request accounts in the domain with SPN attributes, then request an insecure TGS ticket for brute forcing. This attack is particularly effective as any domain credentials can be used to implement the attack and service accounts often have elevated privileges. Kerbroasting can be used for privilege escalation or persistence by adding a SPN attribute to an unexpected account.

Reference: The Art of Detecting Kerberoast Attacks Log Source: Windows Security Event Log (Domain Controllers) Event ID: 4769 Status: 0x0 (Audit Success) Ticket Encryption: 0x17 (RC4) Service Name: NOT krbtgt or NOT a system account (account name ends in $) TargetUserName: NOT a system account ($@)

Monitor and alert on unusual events from an unexpected IP. Note: There are potential false positives so whitelist normal source IPs and manage risk of insecure ticket generation.

Arg Default Description
eventLog C:\Windows\system32\winevt\logs\Security.evtx
View Artifact Source

Windows.Events.ProcessCreation

Collect all process creation events.

Arg Default Description
wmiQuery SELECT * FROM __InstanceCreationEvent WITHIN 1 WHE …
eventQuery SELECT * FROM Win32_ProcessStartTrace
View Artifact Source

Windows.Events.ServiceCreation

Monitor for creation of new services.

New services are typically created by installing new software or kernel drivers. Attackers will sometimes install a new service to either insert a malicious kernel driver or as a persistence mechanism.

This event monitor extracts the service creation events from the event log and records them on the server.

Arg Default Description
systemLogFile C:/Windows/System32/Winevt/Logs/System.evtx
View Artifact Source