Applied Incident Response by Steve Anson

Author:Steve Anson [Anson, Steve]
Language: eng
Format: epub
ISBN: 9781119560319
Publisher: Wiley
Published: 2020-02-26T00:00:00+00:00

Object Access

Whether you’re dealing with an insider threat or a remote attacker who has gained access to your systems, determining what data was accessed by an adversary is frequently necessary during an incident response. Windows provides auditing capabilities to answer this question, but only if they are explicitly enabled before an incident occurs. Attackers frequently leverage valid credentials to remotely access data in user‐created shared folders or administrative shares (shares that are created by the system and designated by a dollar sign at the end of the share name). Doing so will generate Account Logon and Logon events as mentioned earlier, but additional logging can also be enabled in the Group Policy Management Console by navigating to Computer Configuration ➪ Policies ➪ Windows Settings ➪ Security Settings ➪ Advanced Audit Policy Configuration ➪ Audit Policies ➪ Object Access ➪ Audit File Share. Once enabled, the event IDs described in Table 8.7 are logged in the Security log of the local system.

Table 8.7: Network share event IDs

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.