diff --git a/docs/audit-policies/windows/README.md b/docs/audit-policies/windows/README.md new file mode 100644 index 00000000000..eda608d7347 --- /dev/null +++ b/docs/audit-policies/windows/README.md @@ -0,0 +1,21 @@ +## Windows Audit Policies + +This folder contains Windows related audit policies that need to be implemented in order to generate the events that power our detection rules. It serves as a centralized view of the policies we use so you don't need to go through every rule to know the different audit policies required. + +Audit Policies: + +* [Audit Audit Policy Change](active_directory_audit_audit_policy_change.md) +* [Audit Authorization Policy Change](active_directory_audit_authorization_policy_change.md) +* [Audit Detailed File Share](active_directory_audit_detailed_file_share.md) +* [Audit Directory Service Access](active_directory_audit_directory_service_access.md) +* [Audit Directory Service Changes](active_directory_audit_directory_service_changes.md) +* [Audit Handle Manipulation](active_directory_audit_handle_manipulation.md) +* [Audit Security Group Management](active_directory_audit_security_group_management.md) +* [Audit Security System Extension](active_directory_audit_security_system_extension.md) +* [Audit User Account Management](active_directory_audit_user_account_management.md) +* [Filtering Platform Connection](active_directory_filtering_platform_connection.md) +* [Special Logon](active_directory_special_logon.md) +* [Token Right Adjusted Events](active_directory_token_right_adjusted_events.md) +* [Audit Logon](active_directory_audit_logon.md) +* [Powershell Script Block Logging](powershell_script_block_logging.md) +* [Process Creation and Command Line](process_creation_and_command_line.md) \ No newline at end of file diff --git a/docs/audit-policies/windows/active_directory_audit_audit_policy_change.md b/docs/audit-policies/windows/active_directory_audit_audit_policy_change.md new file mode 100644 index 00000000000..47ae26352e6 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_audit_policy_change.md @@ -0,0 +1,29 @@ +## Setup + +Certain rules in our ruleset require tracking changes to audit policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into audit policy changes, helping to maintain compliance and security. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Audit Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Audit Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Windows Settings > +Security Settings > +Advanced Security Audit Policy Settings > +Audit Policies > +Policy Change > +**Audit Audit Policy Change (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_authorization_policy_change.md b/docs/audit-policies/windows/active_directory_audit_authorization_policy_change.md new file mode 100644 index 00000000000..a9e15ef559d --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_authorization_policy_change.md @@ -0,0 +1,29 @@ +## Setup + +Certain rules in our ruleset require monitoring changes to authorization policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into changes affecting user rights and security policies, helping maintain compliance and security. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Authorization Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Authorization Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Windows Settings > +Security Settings > +Advanced Audit Policy Configuration > +Audit Policies > +Policy Change > +**Audit Authorization Policy Change (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_detailed_file_share.md b/docs/audit-policies/windows/active_directory_audit_detailed_file_share.md new file mode 100644 index 00000000000..47a2c77214f --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_detailed_file_share.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring file share access to detect unauthorized access attempts or modifications. Enabling this setting helps improve security visibility and ensures compliance by tracking access to shared files and folders. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit File Share` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit File Share` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > +**Audit File Share (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"File Share" /success:enable /failure:disable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_directory_service_access.md b/docs/audit-policies/windows/active_directory_audit_directory_service_access.md new file mode 100644 index 00000000000..6dc9fa8203e --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_directory_service_access.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require configuring audit policies to generate events when Active Directory objects are accessed. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Directory Service Access` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Access` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +**Audit Directory Service Access (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_directory_service_changes.md b/docs/audit-policies/windows/active_directory_audit_directory_service_changes.md new file mode 100644 index 00000000000..339cc8a527b --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_directory_service_changes.md @@ -0,0 +1,54 @@ +## Setup + +Certain rules in our ruleset require configuring audit policies to generate events when Active Directory objects are modified. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Directory Service Changes` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Changes` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +**Audit Directory Service Changes (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable +``` + +### Additional Settings + +The `Audit Directory Service Changes` policy does not cover all objects monitored by our detection rules. To address these gaps, in addition to enabling the audit policy, we must configure additional Access Control Entries (ACEs) using (Set-AuditRule)[https://github.com/OTRF/Set-AuditRule] to ensure proper monitoring. + +Below is a list of the Audit Rules included in the ruleset. Modify them to match the Distinguished Names specific to your environment: + +Audit changes on the MicrosoftDNS object: + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success +``` + +Audit changes on the msDS-KeyCredentialLink attribute of User objects: + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success +``` + +Audit changes on the servicePrincipalName attribute of User objects: + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success +``` diff --git a/docs/audit-policies/windows/active_directory_audit_handle_manipulation.md b/docs/audit-policies/windows/active_directory_audit_handle_manipulation.md new file mode 100644 index 00000000000..b13ba3a94d6 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_handle_manipulation.md @@ -0,0 +1,29 @@ +## Setup + +Certain rules in our ruleset require monitoring handle manipulation to detect unauthorized access attempts or suspicious interactions with system objects. Enabling this setting helps improve security visibility by tracking when handles to objects (such as files, registry keys, or processes) are opened or modified. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Handle Manipulation` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Handle Manipulation` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Windows Settings > +Security Settings > +Advanced Audit Policy Configuration > +Audit Policies > +Object Access > +**Audit Handle Manipulation (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Handle Manipulation" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_security_group_management.md b/docs/audit-policies/windows/active_directory_audit_security_group_management.md new file mode 100644 index 00000000000..498741712e1 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_security_group_management.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring security group management to detect unauthorized changes to user group memberships, which can affect access control and security policies. Enabling this setting ensures visibility into modifications of security groups, helping maintain security and compliance. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Security Group Management` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Security Group Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > +**Audit Security Group Management (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_security_system_extension.md b/docs/audit-policies/windows/active_directory_audit_security_system_extension.md new file mode 100644 index 00000000000..77f4ae63b49 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_security_system_extension.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring security system extensions to detect unauthorized modifications, such as the installation of new system services, drivers, or security-related components. Enabling this setting helps ensure visibility into critical system changes that could impact security and system integrity. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Security System Extension` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Security System Extension` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +System > +**Audit Security System Extension (Success)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Security System Extension" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_audit_user_account_management.md b/docs/audit-policies/windows/active_directory_audit_user_account_management.md new file mode 100644 index 00000000000..00cb050e43a --- /dev/null +++ b/docs/audit-policies/windows/active_directory_audit_user_account_management.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring user account management activities to detect unauthorized account creations, modifications, or deletions. Enabling this setting ensures visibility into critical account changes, helping maintain security and compliance by tracking administrative actions related to user accounts. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit User Account Management` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit User Account Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > +**Audit User Account Management (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_filtering_platform_connection.md b/docs/audit-policies/windows/active_directory_filtering_platform_connection.md new file mode 100644 index 00000000000..c9a9f837e11 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_filtering_platform_connection.md @@ -0,0 +1,31 @@ +## Setup + +Certain rules in our ruleset require monitoring network connections managed by the Windows Filtering Platform (WFP) to detect unauthorized or suspicious network activity. + +**Caution:** Enabling this audit policy generates a high volume of events. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Filtering Platform Connection` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Filtering Platform Connection` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Windows Settings > +Security Settings > +Advanced Security Audit Policy Settings > +Audit Policies > +Object Access > +Audit Filtering Platform Connection (Success,Failure) +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_special_logon.md b/docs/audit-policies/windows/active_directory_special_logon.md new file mode 100644 index 00000000000..a416a086030 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_special_logon.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring special logon events to track privileged account usage. Special logon events indicate that an account with elevated privileges (such as administrators or service accounts) has logged in, helping detect unauthorized access or privilege escalation attempts. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit Special Logon` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Special Logon` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Logon/Logoff > +**Audit Special Logon (Success)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"TBD" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_directory_token_right_adjusted_events.md b/docs/audit-policies/windows/active_directory_token_right_adjusted_events.md new file mode 100644 index 00000000000..e812ebab817 --- /dev/null +++ b/docs/audit-policies/windows/active_directory_token_right_adjusted_events.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring token right adjustments to detect privilege changes in user sessions. Token right adjustments occur when a user's security token is modified to grant or revoke privileges, which can indicate privilege escalation attempts or administrative activity. Enabling this setting enhances visibility into security-sensitive changes affecting user privileges. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Token Right Adjusted Events` across a group of servers using Active Directory Group Policies, administrators must enable the `Token Right Adjusted Events` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Detailed Tracking > +Token Right Adjusted Events (Success) +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Token Right Adjusted Events" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/active_drectory_audit_logon.md b/docs/audit-policies/windows/active_drectory_audit_logon.md new file mode 100644 index 00000000000..495dfb47442 --- /dev/null +++ b/docs/audit-policies/windows/active_drectory_audit_logon.md @@ -0,0 +1,30 @@ +## Setup + +Certain rules in our ruleset require monitoring logon events to track user authentication attempts, detect unauthorized access, and investigate security incidents. Enabling this setting provides visibility into successful and failed logon attempts, helping strengthen security and compliance. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable `Audit logon` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit logon` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Logon/Logoff +**Audit Logon (Success,Failure)** +``` + +### Enable Locally using auditpol + +To enable this policy on a local machine, run the following command in an elevated command prompt: + +``` +auditpol.exe /set /subcategory:"Logon" /success:enable /failure:enable +``` diff --git a/docs/audit-policies/windows/powershell_script_block_logging.md b/docs/audit-policies/windows/powershell_script_block_logging.md new file mode 100644 index 00000000000..801da2d89fb --- /dev/null +++ b/docs/audit-policies/windows/powershell_script_block_logging.md @@ -0,0 +1,24 @@ +## Setup + +Certain rules in our ruleset require enabling PowerShell Script Block Logging to record the content of processed script blocks in the Windows Event Log. + +To collect these logs using the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows), select the `Powershell Operational` channel on the integration setup page. + +### Enable Audit Policy via Group Policy + +To enable PowerShell Script Block logging across a group of servers using Active Directory Group Policies, administrators must enable the `Turn on PowerShell Script Block Logging` policy. Follow these steps to implement the logging policy through `Advanced Audit Configuration`: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +**Turn on PowerShell Script Block Logging (Enable)** +``` + +### Enable Audit Policy via Registry + +To configure the audit on servers that aren't domain joined, the EnableScriptBlockLogging registry key must be set to 1. Here is an example modification command: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` diff --git a/docs/audit-policies/windows/process_creation_and_command_line.md b/docs/audit-policies/windows/process_creation_and_command_line.md new file mode 100644 index 00000000000..4f345353e18 --- /dev/null +++ b/docs/audit-policies/windows/process_creation_and_command_line.md @@ -0,0 +1,50 @@ +## Setup + +If leveraging process creation events from the Windows Security log for detections, enabling command line auditing for Windows Event ID 4688 (Process Creation) is required. When enabled, Windows records the full command line of newly created processes in the Security event log. + +To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration. + +If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled. + +### Enable Audit Policy via Group Policy + +To enable the record of command line in process creation events across a group of servers using Active Directory Group Policies, administrators must enable the `Include command line in process creation events` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration: + +``` +Computer Configuration > +Administrative Templates > +System > +Audit Process Creation > +**Include command line in process creation events (Enable)** +``` + +Additionally, confirm that the Audit Process Creation policy is enabled: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Configuration > +Detailed Tracking > +**Audit Process Creation (Success)** +``` + +### Enable Locally + +To enable process creation and command line auditing on non-domain-joined servers, follow these steps with Administrative privileges: + +1. Enable Process Creation Audit + +Run the following command to enable auditing for process creation: +``` +auditpol.exe /set /subcategory:"Process Creation" /success:enable /failure:enable +``` + + +2. Enable Command Line Logging + +Modify the registry to include command-line details in process creation logs: +``` +reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f +```