Check: AD.AU.0002
Active Directory Domain STIG:
AD.AU.0002
(in versions v3 r5 through v2 r8)
Title
Systems must be monitored for attempts to use local accounts to log on remotely from other systems. (Cat II impact)
Discussion
Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack.
Check Content
Verify attempts to use local accounts to log on remotely from other systems are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below. If these events are not monitored, this is a finding. More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs. Search for the event IDs listed with the following additional attributes: Logon Type = 3 (Network) Authentication Package Name = NTLM Not a domain logon and not the ANONYMOUS LOGON account Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on.
Fix Text
Monitor for attempts to use local accounts to log on remotely from other systems. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below. More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs. Search for the event IDs listed with the following additional attributes: Logon Type = 3 (Network) Authentication Package Name = NTLM Not a domain logon and not the ANONYMOUS LOGON account Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. The "Pass the Hash Detection" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides a sample query for filtering. https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm.
Additional Identifiers
Rule ID: SV-243491r959010_rule
Vulnerability ID: V-243491
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |