Auditing Event 565,565 — Finally my scrached head got peace

From last one month i am scraching my head as how to monitor and review Event 565, 566 logs

Logs we receive from SIEM is of size >30MB so that opening and reviewing the is too difficult and my excel is hanging.
Majority of the alerts atleast 90% consist of Monitoring_OU_GPO_Objects.

Luckily Randy F Smith from ultimatesecurity.com come to rescue me providing insight into what to look for on monitoring AD and its events.

I Figured out that our SIEM just logging all event 565 under one alert but it needs to be fine tuned to identify below alerts based on the specific keyword in the alert details.

Below is the format of the event

Win2003 

Object Open: 
Object Server:Security Account Manager 
Object Type:SAM_USER 
Object Name:S-1-5-21-2121316058-685099279-904526279-500 
Handle ID:44677624 
Operation ID:{0,78919} 
Process ID:500 
Process Name:C:\WINDOWS\system32\lsass.exe 
Primary User Name:W3DC$ 
Primary Domain:ELM 
Primary Logon ID:(0x0,0x3E7) 
Client User Name:Administrator 
Client Domain:ELM 
Client Logon ID:(0x0,0x1342B) 
Accesses:
     DELETE 
     READ_CONTROL 
     WRITE_DAC 
     WRITE_OWNER 
     ReadGeneralInformation 
     ReadPreferences 
     WritePreferences 
     ReadLogon 
     ReadAccount 
     WriteAccount 
     SetPassword (without knowledge of old password) 
     ListGroups 
Privileges:- 
Properties: 
          user 
     DELETE 
     READ_CONTROL 
     WRITE_DAC 
     WRITE_OWNER 
     ......other options......

Based on Accesses and Properties, below alerts has to be identified and alerted

1) Modifications of GPO – Look for  “groupPolicyContainer” and “version”  in Description

2) Permissions Change to organization unit – Someone delegated some level of control to someone else via Delegate on AD. Only Admin of the AD should do that with proper approvals.
Look for “organizationalUnit” and “WRITE_DAC”.
DAC indicate Delegate Access Control

3) GPO Links changed on an organizational Unit or Enforced Enabled or disabled
Look for “organizationalUnit” and “gpLink” or “gpOptions”

4) Organizational Unit Deleted – A severe problem that will not happen 98%
Look for “organizationalUnit” and “DELETE”

5) Group Policy Object Deleted
Look for “groupPolicyContainer” and “DELETE”

The recommendations are made and awaiting to be implemented to get one single alert if something goes wrong. otherwize valid ones goes in noise. As AD is a critical resource for any Company, It needs to be monitored for specific set of alerts that we need to define and look for.

Advertisements

About wikihead

A security freak
This entry was posted in Articles, Notes and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s