STIGQter STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Systems must be monitored for attempts to use local accounts to log on remotely from other systems.

DISA Rule

SV-56534r4_rule

Vulnerability Number

V-43713

Group Title

AD.AU.0002

Rule Version

AD.AU.0002

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Monitor for attempts to use local accounts to log on remotely from other systems. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 3 (Network)
Authentication Package Name = NTLM
Not a domain logon and not the ANONYMOUS LOGON account

Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.

The "Pass the Hash Detection" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides a sample query for filtering.
https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm.

Check Contents

Verify attempts to use local accounts to log on remotely from other systems are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below. If these events are not monitored, this is a finding.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 3 (Network)
Authentication Package Name = NTLM
Not a domain logon and not the ANONYMOUS LOGON account

Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.

Vulnerability Number

V-43713

Documentable

False

Rule Version

AD.AU.0002

Severity Override Guidance

Verify attempts to use local accounts to log on remotely from other systems are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below. If these events are not monitored, this is a finding.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 3 (Network)
Authentication Package Name = NTLM
Not a domain logon and not the ANONYMOUS LOGON account

Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.

Check Content Reference

M

Target Key

870

Comments