-
Notifications
You must be signed in to change notification settings - Fork 2
Audit logged_on
The auditing feature of logged_on validates if the user may call the methods OpenUsers and BaseRegEnumKey on the target.
Enumerating logged on users multiple targets helps malicious actors to map where privileged users are authenticating to. Through other vectors, these actors may compromise the users and gain further privileges in the domain.
The tool BloodHound leverages this to draw a map of where a user is authenticated to. See CollectionMethod, section "LoggedOn". Despite the documentation not being up-to-date, one can see in the code that the "LoggedOn" flag also enumerates the registry.
Unfortunately according to my tests, it does not appear that an administrators can harden this other than by disabling the Remote Registry service. This is due to the fact that by default, the group Everyone (SID S-1-1-0) has read access to the HKEY_USERS hive, allowing any user to read the subkeys and map who is logged in. I have not seen any documentation specifying that this group's privileges may be removed, and highly suspect it could result in an unstable system. Furthermore, Everyone is added back to the hive after a reboot.
Therefore, disable the Remote Registry service on hosts where it is not needed.