Event monitoring is a challenging and intimidating task. A properly configured audit policy results in an extreme number of captured events, contributing to the difficult nature of identifying unauthorized and malicious activity.
Windows facilitates audit reduction capability via the Event Viewer, but this method offers little efficiency to the reviewing entity. This reality results in inconsistent and unreliable processes that can leave a significant gap in your security program.
The PowerStrux Standalone System Auditor assists in analyzing compliance-relevant statistics and event occurrences on Information Systems. The tool simplifies and standardizes the review process, offering assurance that unauthorized and malicious activity will not go unnoticed.
The PowerStrux Standalone System Auditor leverages built-in Windows PowerShell functionality to query Information Systems for user data and events of interest. The tool produces an HTML report with sortable, filterable, and easy-to-digest tables.
Auditing Account Status and Activity
The PowerStrux Standalone Auditor provides insight into account status and activity. This is accomplished by capturing system data and storing the output in the following tables:
The Enable Users Table: Displays relevant statistics about enabled accounts. The Enabled Users table assists security administrators in quickly identifying:
- Unauthorized accounts
- Inactive accounts (e.g., accounts that have not been logged into in 90 or more days)
- Accounts that do not require a password to be configured (e.g., Password Required equals False)
Group Membership Tables: Display accounts that hold membership in any of the following groups:
- The Administrators group
- The Backup Operators group
- The Power Users group
- The Auditors group
The Group Membership tables assist security administrators in quickly identifying privilege creep and unauthorized group membership without the need to perform manual review.
User Logon/Logoff Time Tables: Displays specifics related to local user logon (session initiated) and logoff (session terminated) times. The User Logon/Logoff Time tables help security administrators correlate event occurrences with a specific user session.
The User Logon Type Table: Displays similar information to that of the User Logon table but includes additional information regarding the logon type (e.g., Interactive, Unlock, CachedInteractive, etc.) and token elevation status. The User Logon Type table assists security administrators in correlating event occurrences with a specific user session.
The Failed Logons Table: Displays details related to failed logon events, to include the time of occurrence, attempted account name, source workstation, and source IP address. The Failed Logons table assists security administrators in identifying unauthorized access attempts and brute force attacks.
Auditing Event Log Actions and Events of Interest
The PowerStrux Standalone Auditor provides insight into event log actions and events of interest. This is accomplished by capturing related events and storing the output in the following tables:
The Event Log Actions Table: Displays triggered events related to actions performed on the event log. The Event Log Actions table helps security administrators identify event processing issues and malicious activity intended to cover one's tracks (e.g., clearing the event log).
The Audit Policy Table: Provides an export of the system’s audit policy, which offers reliable insight into the audit subcategories that the system is capturing. The Audit Policy table helps security administrators quickly assess the system's audit policy to ensure required events are captured.
The Event Log Capacity Table: Provides insight into the Application, Security, and System log's maximum capacity vs. current size and percent full. The Event Log Capacity table helps security administrators ensure that the system’s Application, Security, and System logs do not become exhausted.
Windows Defender Tables: Displays information related to Windows Defender Last Signature Update and Last Successful Scan. The Windows Defender tables offer a point-in-time reference to assist security administrators in ensuring that antivirus signatures and scan dates are compliant with associated requirements.
Data Transfer Tables: Displays information related to Transfers to Removable Storage and Print Jobs. The Data Transfer tables help security administrators identify unauthorized data transfers, which indicate insider threats. The Transfers to Removable Storage table is dependent on the installation of the SecureStrux DTA Tool!
The Account Management Table: Details events related to account creation, deletion, enablement, and disablement. Captured fields include: the action that was performed, the subject account (the account that performed the action), and the target account (the account that was targeted by the action). The Account Management table assists security administrators in identifying unauthorized account management activities.
The Privileged Use Table: Provides specifics surrounding elevated actions that are performed on the Information System. This table takes auditing a step further by providing the process executable, token type, and actual command line syntax. The Privilege Use table assists security administrators in identifying unauthorized privilege escalation attempts.
Auditing Ports, Protocols, and Services
The PowerStrux Standalone Auditor provides insight into system ports, protocols, and services. This is accomplished by capturing related data and storing the output in the following table:
System Services and Port Information Tables: Provides a point-in-time reference detailing system services, the state of the service when the script was run (e.g., running, stopped), and the startup type (e.g., automatic, disabled). The Port Information table provides a point-in-time reference for listening and established connections. These tables allow security administrators to ensure that systems are configured according to the principle of least functionality.
The PowerStrux Standalone System Auditor is continuously updated based on new and emerging threats, released best practices, and client feedback. The new version comes packed with the following changes:
- The Addition of the Audit Policy table
- An adjustment to the Logon Type table to filter out known system accounts