📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptography
    • Cryptanalysis
      • RSA & RSA ATTACK
      • DES (Data Encryption Standard)
      • AES (Advanced Encryption Standard)
      • ECC ( Elliptic Curve of Cryptography)
      • Group-based Cryptography
      • Lattice-based Cryptography
      • ChaCha20-Poly1305
      • Hash Function
      • Wargame CTF
  • C2
    • Practical with Havoc Framework
  • Blue Teaming
    • SIEM & SOC
      • SIEM
      • SOC
      • Splunk
    • Cybersecurity Lab & Threat Intelligence
      • Build ELK Lab
        • Configure Elasticsearch and Kibana setup in ubuntu
        • Fluent Bit – Sending Logs to ELK with Fluent Bit
        • Winlogbeat – Collecting and Forwarding Windows Event Logs.
        • Filebeat – Collecting and Forwarding Windows Event Logs.
        • Send Logs from Winlogbeat through Logstash to ELK
        • Audit policy & Winlogbeat
      • Sysmon configuration
    • PowerShell in Incident Response and Threat Hunting
      • PowerShell For Incident Response
      • PowerShell For Threat Hunting
  • Techniques used in malware
    • DLL side loading
    • DLL Unhooking
    • Call stack spoofing
  • Wazuh App Dashboards for Splunk
  • Windows
    • 70 Vital Windows Commands
    • Windows Registry Forensics
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • CTF
    • CTF-writeup-in-KCSC
Powered by GitBook
On this page
  • Prerequisites
  • Configure Active Directory
  • Audit Policy

Was this helpful?

  1. Blue Teaming
  2. Cybersecurity Lab & Threat Intelligence
  3. Build ELK Lab

Audit policy & Winlogbeat

PreviousSend Logs from Winlogbeat through Logstash to ELKNextSysmon configuration

Last updated 3 months ago

Was this helpful?

Prerequisites

Windows Server 2022 (WinSrv22 - 192.168.35.132)

Windows 10 installed Winlogbeat and configure (Windows10 - 192.168.35.131)

Windows 10 join Active Directory.

Configure Active Directory

Check Windows10 machine is joined to the domain vanluongelk.local

Click left mouse vanluongelk.local > New > Organizational Unit and set name: 8386

Create new user in OU 8386.

Audit Policy

In WinSrv22, open Group Policy Management.

Click left mouse 8386 and click Create a GPO in this domain, and Link it here...

Let's call it Audit Logging.

Click Audit Logging > Edit.

Next, We need edit Process Creation Logging. Group Policy Management Editor window appear, click 

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > 
System Audit Policies - Local Group Policy Object > Detailed Tracking

We need configure and make sure the boxes are checked.

  • Audit Process Creation (Event ID 4688): Logs when a new process is created.

  • Audit Process Termination (Event ID 4689): Logs when a process terminates.

Next, We need edit Logon and Authentication Auditing.

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > 
System Audit Policies - Local Group Policy Object > Logon/Logoff

Now, we need configure:

  • Audit Account Lockout (Event ID 4740): Logs when an account gets locked due to failed login attempts.

  • Audit Logoff (Event ID 4634): Logs when a user logs off.

  • Audit Logon (Event ID 4624, 4625, 4634, 4647): Logs user authentication attempts (successful & failed).

  • Audit Special Logon (Event ID 4672): Logs privileged logins (e.g., Administrator, SYSTEM).

Next, we need to run the following command on the Windows10 machine(User: Administrator@vanluongelk.local) to apply the policy:

gpupdate /forces

Next, logout and login Windows10 machine with User: PhatTai@vanluongelk.local OU: 8386

I will try login wrong

We now need to confirm whether ELK successfully receives logs from Winlogbeat > Logstash > Elasticsearch. From Stack Management → Index Management

You can check the Windows 10 machine assigned to Account Domain: VANLUONGELK.

Here, we use a filter to search for Event ID 4625, retrieving data as shown in the image below.

We can investigate the time of occurrence (Timestamp) along with Domain name, TargetUserName, ...

The event immediately following the login fail sequence is a successful login with EventID 4624