Michel de Crevoisier's questions

I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).

According the instructions from Microsoft, you have to:

1. Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\custom_log'
2. Create a string "CustomSD" with the proper permissions defined in the SSDL format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
3. Restart the host and verify permissions

However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:

wevtutil get-log "Microsoft-Windows-CAPI2/Operational"  OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational"  | Format-List -Property * 

Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\'

And in my case I have tried to :

• create a new registry key in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\CAPI2" >> did not work

• create the registry key in the following path 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\application\Microsoft-Windows-CAPI2' since the name of the event log was present >> did not work

So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\'.

As a security best practice, I would like to keep track in my Windows Active Directory domain of any new "Protected Accounts and Groups". According Microsoft, this concerns any user or group which is directly or indirectly member of those specified groups (source). To achieve such detection, I have managed to collect all Windows servers logs into my SIEM after enabled proper auditing settings.

I'm currently focus on the event ID 4780 (The ACL was set on accounts which are members of administrators groups. - source). Again, according Microsoft, " If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated". So each time a new user or group is marked as "protected", it should trigger this event ID.

My problem here is that this event ID is generated hourly for all my "priviliged accounts" (see image below), as defined per default by the SDProp process. This concerns all built-in groups (domain admin, schema admin, ...) but also intermediate custom groups that are not directly part of those "built-in protected groups". Since those event are generated all the time, my detection is useless. The picture below represent the amount of event ID 4780 per user or group. I have taken it from different domain to ensure that this was not an isolate behavior.

In addition of this, I have also been looking on:

• AdminSDHolder: attribute is set to 1 when object is marked as "protected". By modifying the attribute value manually, I'm able to trigger the event ID 5136. However, when the change is pushed by the SDProp process, nothing is triggered. Note that proper SACL auditing were in place on the object (full object audit).
• Domain group membership change (ID 4728/4756): already in place but the limitation are intermediate groups. For example, group "SG_Admin1" is member of "Domain admin". Ideally I would need to monitor "SG_Admin1" but because we have so many customers, not all may report to us that this group is sensitive. Therefore, we would miss that a new "domain admin" member was added if someone add a user to "SG_Admin1".
• LDAP query for AdminSDHolder: our detection is currently based only on Windows logs and not LDAP queries

So any one else is reaching this problem ? If yes how did you fix it ? Which others solution could I use to monitor any new "protected" objects ?

I'm trying to activate DHCP server auditing logs on a Windows Server 2012 R2 using the DHCP analytical logs.

Until now, I was using the former method using TXT files (see image below). This was working well but since we are now collecting DNS logs from analytical logs (and not TXT files), we are trying to merge both methods to a single and common way.

So I checked which kind of analytical logs the DHCP server proposed and I found the following ones:

After activating DHCP analytical audit logs (I know how they use to behave), I was expecting to see the result of the different DHCP logs (lease, release, ...) inside this new event log file, but nothing was written inside (after stopping it). And when I look the former TXT file output, I can see that some activity is still written, as show below:

So my question is why nothing is written about DHCP activity since this place should be the correct one ? Did I missed something ? Thanks for your help !

BTW, I have checked the following points:

• Disable former auditing DHCP audit settings
• Add a look on the PowerShell command "set-dhcpserver"
• Try to read ETL file output content with NXLog instead of the Windows Event Viewer > file empty, nothing reported
• Looking for DHCP analytical logs on the internet reports nearly nothing. On the other hand, DNS analytical logs are very well documented

I'm working on output analysis of the Windows Event ID 5136 ("A directory service object was modified") and more specifically events with "LDAP Display Name = nTSecurityDescriptor" (see following event 5136 capture).

In the "value" field, I have a list of all the security permissions changed on the object itself, which is great. However, I notice the following problems when trying to compare 2x correlated events and their respective "values" fields:

• Number of characters is always 5120 (4096+1024)
• Text located in the last line is always truncated, and doesn't finish with the proper character - should be a ")" at the end (see folllwing text output).

Information about the events:

• Source host is a Windows Server 2012 R2 DC (up to date)
• For this specific output analysis, logs were directly extracted from the source computer itself (so no WEF, NXlog Agent, SYSLOG, ELK, SIEM, ...)
• Viewing the event with PowerShell, Event console (general tab) or Event console (Details/XML View) provide the same output

So I looked for some value size limitations inside Windows Events (not the event log file itself) but just found some info on "community embarcadero" and "developpez" websites.

Question: does someone know if there is any limitation for a Windows logs value field to 5120 Bytes and a way to increase it ? I need both to make a diff between and report the changes. Thanks