Investigate Windows Security Events with Microsoft Sentinel

Enable Microsoft Sentinel on the existing Log Analytics workspace.

Add the Windows Security Events solution to Microsoft Sentinel from the content hub.

Configure the Windows Security Events data connector to collect data from the existing Windows VM.

1. Run the `Unprotect-User`` Scheduled task.
2. Run PsExec as system

   C:\Scripts\PsExec64.exe -accepteula -i -s cmd.exe
   

3. Delete The Security Descriptor for the Unprotect-User Scheduled task.

   REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Unprotect-User" /v SD /f
   

Investigate the incidents in Microsoft Sentinel using the investigation graph.

In Microsoft Sentinel:

1. Enable the following analytics rules:

   • Scheduled Task Hide

     Note: Adjust the query schedule to 5 minutes for each analytics rule with events from the last 5 Minutes.

   • Excessive Windows Logon Failures

     Note: Adjust the query schedule to 5 minutes for each analytics rule with events from the last 1 Day.

On the Windows Virtual Machine:

1. Log in to the existing Windows virtual machine.

2. Using the local policy editor, enable success auditing for Registry object access. The setting is located here:

   Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access -> Enable Success for Audit Registry

3. Enable auditing of Everyone for Query Value, Set Value, Delete Value for the scheduled task registry keys using the registry editor. The registry key is located here:

   Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule