Scribd
Upload
306 views1 page

Lateral Movement Detection GPO Settings Cheat Sheet: Accounts, Users and Groups

This document provides a cheat sheet of recommended GPO settings for lateral movement detection. It includes settings to audit account logon events, Kerberos authentication, registry and process activity, privilege use, directory service changes and more. It also recommends enabling detailed auditing options in Windows PowerShell and enabling command line logging for process creation to help with detection. A note is included about potentially noisy audit settings for file system and handle manipulation.

Uploaded by

Sergio Tamayo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
306 views1 page

Lateral Movement Detection GPO Settings Cheat Sheet: Accounts, Users and Groups

This document provides a cheat sheet of recommended GPO settings for lateral movement detection. It includes settings to audit account logon events, Kerberos authentication, registry and process activity, privilege use, directory service changes and more. It also recommends enabling detailed auditing options in Windows PowerShell and enabling command line logging for process creation to help with detection. A note is included about potentially noisy audit settings for file system and handle manipulation.

Uploaded by

Sergio Tamayo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Lateral Movement Detection Accounts, Users and Groups

Audit Kernel Object Success & Failure

GPO Settings Cheat Sheet Computer Configuration\Policies\Windows Settings\Sec Audit Other Object Access Events Success & Failure
urity Settings\Advanced Audit Policy Configuration\
The very basic universal GPO settings v1.0, September 2020 Account Logon Audit Registry Success & Failure
https://blog.compass-security.com/2020/09/101-for-lateral-movement-detection
Audit Kerberos Authentication Service Success & Failure Audit SAM Success & Failure

Audit Kerberos Service Ticket Operations Success & Failure


Computer Configuration\Policies\Windows Settings\Sec
Pass the Hash (PTH) urity Settings\Advanced Audit Policy Configuration\
Computer Configuration\Policies\Administrative Computer Configuration\Policies\Windows Settings\Sec Privilege Use
Templates\SCM: Pass the Hash Mitigations urity Settings\Advanced Audit Policy Configuration\
Account Management Audit Non Sensitive Privilege Use Success & Failure
Lsass.exe audit mode Enabled
Audit Computer Account Management Success Audit Sensitive Privilege Use Success & Failure
LSA Protection Enabled
Audit Other Account Management Events Success

Audit Security Group Management Success


Processes
Tracking and Security Audit User Account Management Success & Failure Computer Configuration\Policies\Windows Settings\Sec
Computer Configuration\Policies\Windows Settings\Sec urity Settings\Advanced Audit Policy Configuration\
urity Settings\Local Policies\Security Options Detailed Tracking
Computer Configuration\Policies\Windows Settings\Sec
Audit: Force audit policy subcategory set- Enable urity Settings\Advanced Audit Policy Configuration\ Audit Process Creation Success
tings to override audit policy category set- Logon / Logoff
tings Audit Process Termination Success
Audit Account Lockout Failure

Computer Configuration\Policies\Windows Settings\Sec Audit Group Membership Success Computer Configuration\Policies\Administrative


urity Settings\Advanced Audit Policy Configuration\ Templates\System\Audit Process Creation
DS Access Audit Logoff Success
Include command line in process creation Enabled
Audit Directory Service Changes Success Audit Logon Success & Failure events

Audit Other Logon/ Logoff Events Success & Failure Computer Configuration\Policies\AdministrativeTempla
Computer Configuration\Policies\Windows Settings\Sec
urity Settings\Advanced Audit Policy Configuration\ tes\WindowsComponents\WindowsPowerShell
Audit Special Logon Success
Policy Change
Turn on Module Logging Enabled
Audit Audit Policy Change Success Add wildcard in
Module names: *
Audit MPSSVC Rule-Level Policy Change Success
Permissions, Privileges and Access Turn on PowerShell script Block Logging Enabled
Computer Configuration\Policies\Windows Settings\Sec
Computer Configuration\Policies\Windows Settings\Sec urity Settings\Advanced Audit Policy Configuration\
urity Settings\Advanced Audit Policy Configuration\ Object Access BEWARE that "Audit File System" and "Audit Handle Manipulation" are pretty
System noisy. The daily volume can easily top 100MB. Thus, configure adequate log
Audit File Share Success & Failure sizes and mind log rotation to assure you have what you need when it matters!
Audit Security System Extension Success
Audit File System Success & Failure
Audit System Integrity Success & Failure
Digital Forensics and Incident Response
Audit Handle Manipulation Success 24/7 Emergency Hotline +41 44 505 1337

You might also like