Code Library

Found in the Detailed Tracking category, you can use the Audit PNP Activity subcategory to audit when plug-and-play detects an external device. Only Success audits are recorded for this category.

Additional changes have been made in Windows Server 2016 that expose more information to help
you identify and address threats quickly. The following table provides more information:


Kernel Default Audit Policy
In previous releases, the kernel depended on the LSA to retrieve information in some of its events. In Server 2016, the process creation events audit policy is automatically turned on until an actual audit policy is received from the LSA. This results in better auditing of services that might start before the LSA starts


Default process Security ACL (SACL) to LSASS.exe
A default process, SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can turn this on under Advanced Audit Policy Configuration|Object Access|Audit Kernel Object.


New fields in the sign-in event
The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:

 MachineLogon String: yes or no
If the account that signed in to the PC is a computer account, this field will be yes; otherwise, the field is no.

 ElevatedToken String: yes or no
If the account that signed in to the PC is an administrative sign-in, this field will be yes; otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP_LOGON_SESSION) will also be shown.

 TargetOutboundUserName String and TargetOutboundUserDomain String
The user name and domain of the identity that was created by the LogonUser method for outbound traffic.

 VirtualAccount String: yes or no
If the account that signed in to the PC is a virtual account, this field will be yes; otherwise, the field is no.

 GroupMembership String
A list of all of the groups in the user’s token.

 RestrictedAdminMode String: yes or no

If the user signs in to the PC in restricted admin mode with Remote Desktop, this field will be yes.


New fields in the process creation event
The sign-in event ID 4688 has been updated to include more verbose information to make it easier to analyze. The following fields have been added to event 4688:

 TargetUserSid String
The SID of the target principal.

 TargetUserName String
The account name of the target user.

 TargetDomainName String
The domain of the target user.

 TargetLogonId String
The logon ID of the target user.

 ParentProcessName String
The name of the creator process.

 ParentProcessId String
A pointer to the actual parent process if it's different from the creator process.


Security Account Manager (SAM) events
New SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following
APIs are now audited:
SamrEnumerateGroupsInDomain
SamrEnumerateUsersInDomain
SamrEnumerateAliasesInDomain
SamrGetAliasMembership
SamrLookupNamesInDomain
SamrLookupIdsInDomain
SamrQueryInformationUser
SamrQueryInformationGroup
SamrQueryInformationUserAlias
SamrGetMembersInGroup
SamrGetMembersInAlias
SamrGetUserDomainPasswordInformation


Boot Configuration Database (BCD) events
Event ID 4826 has been added to track the following changes to the BCD:
DEP/NEX settings
Test signing
PCAT SB simulation
Debug
Boot debug
Integrity Services
Disable Winload debugging menu


PNP Events
Event ID 6416 has been added to track when an external device is detected through plug-and-play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.

Source of Information : Microsoft Introduction Windows Server 2016