Removed the locale references from Sample Data
This commit is contained in:
v-rucdu
GitHub
Родитель
a4ee1f7a3f
Коммит
bb223a58cf
|
|
@ -698,10 +698,10 @@
|
|||
"Computer": "dsp-ms.dsp.lab",
|
||||
"EventLevel": 2,
|
||||
"EventLevelName": "Warning",
|
||||
"ParameterXml": "<Param>2021-07-08T16:01:03.2640457+00:00</Param><Param>Protected Users group in use</Param><Param>Failed</Param><Param>3/15/2021 2:06:40 PM</Param><Param>0 F</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Informational</Param><Param>1</Param><Param>Mitre:Credential Access</Param><Param><![CDATA[The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. ]]></Param><Param><![CDATA[The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all privileged users are members of the Protected Users group. <a href=\"https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group/\">For more information.</a> ]]></Param><Param>Found 5 privileged users that are not members of the Protected Users group.</Param><Param>5</Param><Param>Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema.</Param><Param>Run every hour starting on 2/11/2021 2:11:39 PM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:01:03.7881056+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:01:03.264045700Z</Data><Data Name=\"securityIndicatorName\">Protected Users group in use</Data><Data Name=\"result\">Failed</Data><Data Name=\"firstFound\">3/15/2021 2:06:40 PM</Data><Data Name=\"score\">0 F</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Informational</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Credential Access</Data><Data Name=\"securityIndicatorDescription\">The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. </Data><Data Name=\"likelihoodOfCompromise\">The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all privileged users are members of the Protected Users group. <a href=\"https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group/\">For more information.</a> </Data><Data Name=\"resultMessage\">Found 5 privileged users that are not members of the Protected Users group.</Data><Data Name=\"numberOfResults\">5</Data><Data Name=\"remediation\">Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema.</Data><Data Name=\"schedule\">Run every hour starting on 2/11/2021 2:11:39 PM</Data></EventData></DataItem>",
|
||||
"ParameterXml": "<Param>2021-07-08T16:01:03.2640457+00:00</Param><Param>Protected Users group in use</Param><Param>Failed</Param><Param>3/15/2021 2:06:40 PM</Param><Param>0 F</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Informational</Param><Param>1</Param><Param>Mitre:Credential Access</Param><Param><![CDATA[The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. ]]></Param><Param><![CDATA[The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all privileged users are members of the Protected Users group. <a href=\"https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/protected-users-security-group/\">For more information.</a> ]]></Param><Param>Found 5 privileged users that are not members of the Protected Users group.</Param><Param>5</Param><Param>Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema.</Param><Param>Run every hour starting on 2/11/2021 2:11:39 PM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:01:03.7881056+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:01:03.264045700Z</Data><Data Name=\"securityIndicatorName\">Protected Users group in use</Data><Data Name=\"result\">Failed</Data><Data Name=\"firstFound\">3/15/2021 2:06:40 PM</Data><Data Name=\"score\">0 F</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Informational</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Credential Access</Data><Data Name=\"securityIndicatorDescription\">The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. </Data><Data Name=\"likelihoodOfCompromise\">The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all privileged users are members of the Protected Users group. <a href=\"https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/protected-users-security-group/\">For more information.</a> </Data><Data Name=\"resultMessage\">Found 5 privileged users that are not members of the Protected Users group.</Data><Data Name=\"numberOfResults\">5</Data><Data Name=\"remediation\">Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema.</Data><Data Name=\"schedule\">Run every hour starting on 2/11/2021 2:11:39 PM</Data></EventData></DataItem>",
|
||||
"EventID": 9212,
|
||||
"RenderedDescription": "Security indicator found: Protected Users group in use Generation time: 2021-07-08T16:01:03.2640457+00:00 Security indicator name: Protected Users group in use Result: Failed First found: 3/15/2021 2:06:40 PM Score: 0 F Forest name: dsp.lab Domains: dsp.lab Severity: Informational Weight: 1 Schedule: Run every hour starting on 2/11/2021 2:11:39 PM Security framework tags: Mitre:Credential Access Security indicator description: The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. Likelihood of compromise: The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all privileged users are members of the Protected Users group. <a href=\"https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group/\">For more information.</a> Result Message: Found 5 privileged users that are not members of the Protected Users group. Number of results: 5 Remediation: Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema.",
|
||||
"RenderedDescription": "Security indicator found: Protected Users group in use Generation time: 2021-07-08T16:01:03.2640457+00:00 Security indicator name: Protected Users group in use Result: Failed First found: 3/15/2021 2:06:40 PM Score: 0 F Forest name: dsp.lab Domains: dsp.lab Severity: Informational Weight: 1 Schedule: Run every hour starting on 2/11/2021 2:11:39 PM Security framework tags: Mitre:Credential Access Security indicator description: The Protected Users group was introduced in Server 2012-R2 Active Directory to minimize credential exposure for privileged accounts. Users in the Protected Users group are more secure when authenticating to Windows resources. The differences include no longer caching clear-text passwords, even when Windows Digest is enabled, NTLM will no longer cache clear-text passwords, and Kerberos will no longer create DES or RC4 keys. When logging into domain controllers, members of the Protected Users group cannot authenticate via NTLM (Kerberos only), use DES or RC4 for Kerberos pre-authentication, and cannot be delegated with constrained or unconstrained delegation. Likelihood of compromise: The Protected Users group provides privileged users with additional protection from direct credential theft attacks. Ideally, all privileged users are members of the Protected Users group. <a href=\"https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/protected-users-security-group/\">For more information.</a> Result Message: Found 5 privileged users that are not members of the Protected Users group. Number of results: 5 Remediation: Ensure that all privileged users are members of the Protected Users group. If using a pre 2012-R2 schema, then the protected users group does not exist. This is an exposure, but the remediation is to upgrade the schema.",
|
||||
"AzureDeploymentID": "",
|
||||
"Role": "",
|
||||
"EventCategory": 56322,
|
||||
|
|
@ -1963,10 +1963,10 @@
|
|||
"Computer": "dsp-ms.dsp.lab",
|
||||
"EventLevel": 4,
|
||||
"EventLevelName": "Information",
|
||||
"ParameterXml": "<Param>2021-07-08T16:14:44.9589360+00:00</Param><Param>Reversible passwords found in GPOs</Param><Param>Pass</Param><Param>100 A</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Critical</Param><Param>1</Param><Param>Mitre:Credential Access</Param><Param><![CDATA[This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (\"Cpassword\" entries). Until patch MS14-025 (https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. ]]></Param><Param>Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy, but existing password entries may not have been removed. This area is one of the first things attackers look for when they've gained access to an AD environment, as older systems may still utilize those credentials.</Param><Param>No evidence of exposure</Param><Param>0</Param><Param>None</Param><Param>Run every hour starting on 2/3/2021 1:58:16 PM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:14:45.2730339+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:14:44.958936000Z</Data><Data Name=\"securityIndicatorName\">Reversible passwords found in GPOs</Data><Data Name=\"result\">Pass</Data><Data Name=\"score\">100 A</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Critical</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Credential Access</Data><Data Name=\"securityIndicatorDescription\">This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (\"Cpassword\" entries). Until patch MS14-025 (https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. </Data><Data Name=\"likelihoodOfCompromise\">Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy, but existing password entries may not have been removed. This area is one of the first things attackers look for when they've gained access to an AD environment, as older systems may still utilize those credentials.</Data><Data Name=\"resultMessage\">No evidence of exposure</Data><Data Name=\"numberOfResults\">0</Data><Data Name=\"remediation\">None</Data><Data Name=\"schedule\">Run every hour starting on 2/3/2021 1:58:16 PM</Data></EventData></DataItem>",
|
||||
"ParameterXml": "<Param>2021-07-08T16:14:44.9589360+00:00</Param><Param>Reversible passwords found in GPOs</Param><Param>Pass</Param><Param>100 A</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Critical</Param><Param>1</Param><Param>Mitre:Credential Access</Param><Param><![CDATA[This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (\"Cpassword\" entries). Until patch MS14-025 (https://support.microsoft.com/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. ]]></Param><Param>Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy, but existing password entries may not have been removed. This area is one of the first things attackers look for when they've gained access to an AD environment, as older systems may still utilize those credentials.</Param><Param>No evidence of exposure</Param><Param>0</Param><Param>None</Param><Param>Run every hour starting on 2/3/2021 1:58:16 PM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:14:45.2730339+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:14:44.958936000Z</Data><Data Name=\"securityIndicatorName\">Reversible passwords found in GPOs</Data><Data Name=\"result\">Pass</Data><Data Name=\"score\">100 A</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Critical</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Credential Access</Data><Data Name=\"securityIndicatorDescription\">This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (\"Cpassword\" entries). Until patch MS14-025 (https://support.microsoft.com/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. </Data><Data Name=\"likelihoodOfCompromise\">Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy, but existing password entries may not have been removed. This area is one of the first things attackers look for when they've gained access to an AD environment, as older systems may still utilize those credentials.</Data><Data Name=\"resultMessage\">No evidence of exposure</Data><Data Name=\"numberOfResults\">0</Data><Data Name=\"remediation\">None</Data><Data Name=\"schedule\">Run every hour starting on 2/3/2021 1:58:16 PM</Data></EventData></DataItem>",
|
||||
"EventID": 9211,
|
||||
"RenderedDescription": "Security indicator passed: Reversible passwords found in GPOs Generation time: 2021-07-08T16:14:44.9589360+00:00 Security indicator name: Reversible passwords found in GPOs Result: Pass Score: 100 A Forest name: dsp.lab Domains: dsp.lab Severity: Critical Weight: 1 Schedule: Run every hour starting on 2/3/2021 1:58:16 PM Security framework tags: Mitre:Credential Access Security indicator description: This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (\"Cpassword\" entries). Until patch MS14-025 (https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. Likelihood of compromise: Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy, but existing password entries may not have been removed. This area is one of the first things attackers look for when they've gained access to an AD environment, as older systems may still utilize those credentials. Result Message: No evidence of exposure Number of results: 0 Remediation: None",
|
||||
"RenderedDescription": "Security indicator passed: Reversible passwords found in GPOs Generation time: 2021-07-08T16:14:44.9589360+00:00 Security indicator name: Reversible passwords found in GPOs Result: Pass Score: 100 A Forest name: dsp.lab Domains: dsp.lab Severity: Critical Weight: 1 Schedule: Run every hour starting on 2/3/2021 1:58:16 PM Security framework tags: Mitre:Credential Access Security indicator description: This indicator looks in SYSVOL for GPOs that contain passwords that can be easily decrypted by an attacker (\"Cpassword\" entries). Until patch MS14-025 (https://support.microsoft.com/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30), it was possible to store local admin and other high-value credentials in GPOs. The passwords stored in GPOs were encrypted using a global key that was published and easily available to any domain member for decryption. Likelihood of compromise: Many shops stopped using the feature in GP Preferences to set passwords when Microsoft deprecated the feature in Group Policy, but existing password entries may not have been removed. This area is one of the first things attackers look for when they've gained access to an AD environment, as older systems may still utilize those credentials. Result Message: No evidence of exposure Number of results: 0 Remediation: None",
|
||||
"AzureDeploymentID": "",
|
||||
"Role": "",
|
||||
"EventCategory": 56323,
|
||||
|
|
@ -3642,10 +3642,10 @@
|
|||
"Computer": "dsp-ms.dsp.lab",
|
||||
"EventLevel": 4,
|
||||
"EventLevelName": "Information",
|
||||
"ParameterXml": "<Param>2021-07-08T16:30:23.7719982+00:00</Param><Param>Objects in built-in protected groups without adminCount=1 (SDProp)</Param><Param>Pass</Param><Param>100 A</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Informational</Param><Param>1</Param><Param>Mitre:Persistence, Mitre:Defense Evasion</Param><Param><![CDATA[This indicator looks for objects in built-in protected groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10) ]]></Param><Param>While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and attempt to hide it using this method.</Param><Param>No evidence of exposure.</Param><Param>0</Param><Param>None</Param><Param>Run every hour starting on 2/16/2021 7:12:51 AM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:30:25.6519518+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:30:23.771998200Z</Data><Data Name=\"securityIndicatorName\">Objects in built-in protected groups without adminCount=1 (SDProp)</Data><Data Name=\"result\">Pass</Data><Data Name=\"score\">100 A</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Informational</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Persistence, Mitre:Defense Evasion</Data><Data Name=\"securityIndicatorDescription\">This indicator looks for objects in built-in protected groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10) </Data><Data Name=\"likelihoodOfCompromise\">While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and attempt to hide it using this method.</Data><Data Name=\"resultMessage\">No evidence of exposure.</Data><Data Name=\"numberOfResults\">0</Data><Data Name=\"remediation\">None</Data><Data Name=\"schedule\">Run every hour starting on 2/16/2021 7:12:51 AM</Data></EventData></DataItem>",
|
||||
"ParameterXml": "<Param>2021-07-08T16:30:23.7719982+00:00</Param><Param>Objects in built-in protected groups without adminCount=1 (SDProp)</Param><Param>Pass</Param><Param>100 A</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Informational</Param><Param>1</Param><Param>Mitre:Persistence, Mitre:Defense Evasion</Param><Param><![CDATA[This indicator looks for objects in built-in protected groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/previous-versions/technet-magazine/ee361593(v=msdn.10) ]]></Param><Param>While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and attempt to hide it using this method.</Param><Param>No evidence of exposure.</Param><Param>0</Param><Param>None</Param><Param>Run every hour starting on 2/16/2021 7:12:51 AM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:30:25.6519518+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:30:23.771998200Z</Data><Data Name=\"securityIndicatorName\">Objects in built-in protected groups without adminCount=1 (SDProp)</Data><Data Name=\"result\">Pass</Data><Data Name=\"score\">100 A</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Informational</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Persistence, Mitre:Defense Evasion</Data><Data Name=\"securityIndicatorDescription\">This indicator looks for objects in built-in protected groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/previous-versions/technet-magazine/ee361593(v=msdn.10) </Data><Data Name=\"likelihoodOfCompromise\">While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and attempt to hide it using this method.</Data><Data Name=\"resultMessage\">No evidence of exposure.</Data><Data Name=\"numberOfResults\">0</Data><Data Name=\"remediation\">None</Data><Data Name=\"schedule\">Run every hour starting on 2/16/2021 7:12:51 AM</Data></EventData></DataItem>",
|
||||
"EventID": 9211,
|
||||
"RenderedDescription": "Security indicator passed: Objects in built-in protected groups without adminCount=1 (SDProp) Generation time: 2021-07-08T16:30:23.7719982+00:00 Security indicator name: Objects in built-in protected groups without adminCount=1 (SDProp) Result: Pass Score: 100 A Forest name: dsp.lab Domains: dsp.lab Severity: Informational Weight: 1 Schedule: Run every hour starting on 2/16/2021 7:12:51 AM Security framework tags: Mitre:Persistence, Mitre:Defense Evasion Security indicator description: This indicator looks for objects in built-in protected groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10) Likelihood of compromise: While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and attempt to hide it using this method. Result Message: No evidence of exposure. Number of results: 0 Remediation: None",
|
||||
"RenderedDescription": "Security indicator passed: Objects in built-in protected groups without adminCount=1 (SDProp) Generation time: 2021-07-08T16:30:23.7719982+00:00 Security indicator name: Objects in built-in protected groups without adminCount=1 (SDProp) Result: Pass Score: 100 A Forest name: dsp.lab Domains: dsp.lab Severity: Informational Weight: 1 Schedule: Run every hour starting on 2/16/2021 7:12:51 AM Security framework tags: Mitre:Persistence, Mitre:Defense Evasion Security indicator description: This indicator looks for objects in built-in protected groups with AdminCount not equal to 1. AdminCount is an object flag that is set by the SDProp process (run by default every 60 minutes) if that object's DACLs are modified to sync with the AdminSDHolder object through inheritance. If an object within these groups has an AdminCount not equal to 1 then it could signify that the DACLs were manually set (no inheritance) or that there is an issue with SDProp. For more information see: https://docs.microsoft.com/previous-versions/technet-magazine/ee361593(v=msdn.10) Likelihood of compromise: While not immediately indicative of an attack, privileged users that are not clearly marked as such (adminCount =1) represent an exposure in that they may be used nefariously without being detected. Additionally, an attacker may add a privileged account and attempt to hide it using this method. Result Message: No evidence of exposure. Number of results: 0 Remediation: None",
|
||||
"AzureDeploymentID": "",
|
||||
"Role": "",
|
||||
"EventCategory": 56323,
|
||||
|
|
@ -4033,10 +4033,10 @@
|
|||
"Computer": "dsp-ms.dsp.lab",
|
||||
"EventLevel": 1,
|
||||
"EventLevelName": "Error",
|
||||
"ParameterXml": "<Param>2021-07-08T16:35:27.0180615+00:00</Param><Param>Changes to MS LAPS read permissions</Param><Param>Error</Param><Param>0 F</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Informational</Param><Param>1</Param><Param>Mitre:Credential Access, Mitre:Lateral Movement</Param><Param><![CDATA[This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution (<a href=\"https://www.microsoft.com/en-us/download/details.aspx?id=46899\">https://www.microsoft.com/en-us/download/details.aspx?id=46899</a>). These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. ]]></Param><Param><![CDATA[Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move through a domain using local compromised administrator accounts. ]]></Param><Param>This indicator is not applicable as LAPS was not found in the forest. Please note that 'Failed to Run' indicators will not affect the scoring.</Param><Param>0</Param><Param>None</Param><Param>Run every hour starting on 2/16/2021 6:57:04 AM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:35:27.4716811+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:35:27.018061500Z</Data><Data Name=\"securityIndicatorName\">Changes to MS LAPS read permissions</Data><Data Name=\"result\">Error</Data><Data Name=\"score\">0 F</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Informational</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Credential Access, Mitre:Lateral Movement</Data><Data Name=\"securityIndicatorDescription\">This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution (<a href=\"https://www.microsoft.com/en-us/download/details.aspx?id=46899\">https://www.microsoft.com/en-us/download/details.aspx?id=46899</a>). These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. </Data><Data Name=\"likelihoodOfCompromise\">Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move through a domain using local compromised administrator accounts. </Data><Data Name=\"resultMessage\">This indicator is not applicable as LAPS was not found in the forest. Please note that 'Failed to Run' indicators will not affect the scoring.</Data><Data Name=\"numberOfResults\">0</Data><Data Name=\"remediation\">None</Data><Data Name=\"schedule\">Run every hour starting on 2/16/2021 6:57:04 AM</Data></EventData></DataItem>",
|
||||
"ParameterXml": "<Param>2021-07-08T16:35:27.0180615+00:00</Param><Param>Changes to MS LAPS read permissions</Param><Param>Error</Param><Param>0 F</Param><Param>dsp.lab</Param><Param>dsp.lab</Param><Param>Informational</Param><Param>1</Param><Param>Mitre:Credential Access, Mitre:Lateral Movement</Param><Param><![CDATA[This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution (<a href=\"https://www.microsoft.com/download/details.aspx?id=46899\">https://www.microsoft.com/download/details.aspx?id=46899</a>). These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. ]]></Param><Param><![CDATA[Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move through a domain using local compromised administrator accounts. ]]></Param><Param>This indicator is not applicable as LAPS was not found in the forest. Please note that 'Failed to Run' indicators will not affect the scoring.</Param><Param>0</Param><Param>None</Param><Param>Run every hour starting on 2/16/2021 6:57:04 AM</Param>",
|
||||
"EventData": "<DataItem type=\"System.XmlData\" time=\"2021-07-08T16:35:27.4716811+00:00\" sourceHealthServiceId=\"3D6D4536-CDC3-6B7A-4D6B-703DA70423F0\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"generationTime\">2021-07-08T16:35:27.018061500Z</Data><Data Name=\"securityIndicatorName\">Changes to MS LAPS read permissions</Data><Data Name=\"result\">Error</Data><Data Name=\"score\">0 F</Data><Data Name=\"forestName\">dsp.lab</Data><Data Name=\"domains\">dsp.lab</Data><Data Name=\"severity\">Informational</Data><Data Name=\"weight\">1</Data><Data Name=\"securityFrameworkTags\">Mitre:Credential Access, Mitre:Lateral Movement</Data><Data Name=\"securityIndicatorDescription\">This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution (<a href=\"https://www.microsoft.com/download/details.aspx?id=46899\">https://www.microsoft.com/download/details.aspx?id=46899</a>). These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. </Data><Data Name=\"likelihoodOfCompromise\">Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move through a domain using local compromised administrator accounts. </Data><Data Name=\"resultMessage\">This indicator is not applicable as LAPS was not found in the forest. Please note that 'Failed to Run' indicators will not affect the scoring.</Data><Data Name=\"numberOfResults\">0</Data><Data Name=\"remediation\">None</Data><Data Name=\"schedule\">Run every hour starting on 2/16/2021 6:57:04 AM</Data></EventData></DataItem>",
|
||||
"EventID": 9208,
|
||||
"RenderedDescription": "Security indicator failed to run: Changes to MS LAPS read permissions Generation time: 2021-07-08T16:35:27.0180615+00:00 Security indicator name: Changes to MS LAPS read permissions Result: Error Score: 0 F Forest name: dsp.lab Domains: dsp.lab Severity: Informational Weight: 1 Schedule: Run every hour starting on 2/16/2021 6:57:04 AM Security framework tags: Mitre:Credential Access, Mitre:Lateral Movement Security indicator description: This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution (<a href=\"https://www.microsoft.com/en-us/download/details.aspx?id=46899\">https://www.microsoft.com/en-us/download/details.aspx?id=46899</a>). These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. Likelihood of compromise: Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move through a domain using local compromised administrator accounts. Result Message: This indicator is not applicable as LAPS was not found in the forest. Please note that 'Failed to Run' indicators will not affect the scoring. Number of results: 0 Remediation: None",
|
||||
"RenderedDescription": "Security indicator failed to run: Changes to MS LAPS read permissions Generation time: 2021-07-08T16:35:27.0180615+00:00 Security indicator name: Changes to MS LAPS read permissions Result: Error Score: 0 F Forest name: dsp.lab Domains: dsp.lab Severity: Informational Weight: 1 Schedule: Run every hour starting on 2/16/2021 6:57:04 AM Security framework tags: Mitre:Credential Access, Mitre:Lateral Movement Security indicator description: This indicator looks for permissions on computer accounts that could allow inadvertent exposure of local administrator accounts in environments that use the Microsoft LAPS solution (<a href=\"https://www.microsoft.com/download/details.aspx?id=46899\">https://www.microsoft.com/download/details.aspx?id=46899</a>). These permissions include Read access to ms-Mcs-AdmPwd as well as Write DACL and Owner (which would allow provisioning the read access). LAPS provides a method to rotate local administrator account passwords on servers and workstations. Likelihood of compromise: Only authorized administrative users should have access to LAPS passwords. Attackers may use this capability to laterally move through a domain using local compromised administrator accounts. Result Message: This indicator is not applicable as LAPS was not found in the forest. Please note that 'Failed to Run' indicators will not affect the scoring. Number of results: 0 Remediation: None",
|
||||
"AzureDeploymentID": "",
|
||||
"Role": "",
|
||||
"EventCategory": 56326,
|
||||
|
|
@ -4714,4 +4714,4 @@
|
|||
"Type": "Event",
|
||||
"_ResourceId": ""
|
||||
}
|
||||
]
|
||||
]
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче