PowerStrux Standalone Auditor User Reference

The PowerStrux Standalone Auditor produces a report containing the following:

1. User logon and logoff dates and times
2. Data transfers and print jobs
3. Failed logon attempts
4. Account management events
5. User status and inactivity
6. Administrator, Backup Operator, Auditors, and Power User group membership
7. Event Log actions, to include clearing the Event Log
8. Windows Defender signature update and scan dates and times
9. Privileged use events
10. System service status
11. System port information

PowerStrux Standalone Auditor User Reference

USER MANAGEMENT

ENABLED USERS

The Enabled Users table provides relevant information related to users that have an active account on the Information System. Provided fields include:

1. Name: This field displays the account name.
2. Last Logon: This field displays the date and time that the account last logged onto the system. This field will be NULL for accounts that have never logged on.
3. Password Required: This field displays whether the account requires a password. The results are denoted using a Boolean True/False representation. Please note that a value of false does not mean that the account does not have a password configured, but that the configuration is not required.
4. Days Since Last Logon: This field displays the number of days since the account last logged onto the system. It is calculated using the date and time the script is run and the last logon date account property. This field will be NULL for accounts that have never logged on.

GROUP MEMBERSHIP

The Group Membership tables provide relevant information related to which users are members of local groups, which are often associated with elevated status/privileges. The following four groups are audited:

1. Administrators
2. Backup Operators
3. Power Users
4. Auditors

If a group is empty, or does not exist on the local system, it will not display any user information. Provided fields include:

1. Name: This field displays the account name.
2. Account Type: This field displays the account’s type (e.g. Local, Microsoft, etc.).

USER LOGON/LOGOFF

The User Logon Times and User Logoff Times tables provide relevant information related to the dates and times that user sessions are initiated (logon) and terminated (logoff).

USER LOGON TIMES

Provided fields include:

1. User: This field displays the account name.
2. Logon Time: This field displays the date and time that the user logged on.

USER LOGOFF TIMES

Provided fields include:

1. User: This field displays the account name.
2. Logoff Time: This field displays the date and time that the user logged off.

FAILED LOGONS

The Failed Logons table provides relevant information related to unsuccessful logon attempts. Provided fields include:

1. Time: This field displays the date and time that the failed logon attempt occurred.
2. Account: This field displays the attempted account name.
3. Workstation: This field displays the source workstation (the workstation that the attempt originated from).
4. Address: This field displays the source IP Address (the IP Address that the attempt originated from).

SYSTEM AUDITING

EVENT LOG ACTIONS

The Event Log Actions table provides relevant information related to user actions taken against the Information System’s Event Log. Provided fields include:

1. Time: This field displays the date and time that the Event Log related action was taken.
2. ID: This field displays the correlating event’s Event ID.
3. Details: This field displays the full message that was recorded within the Event Log, to include the account name of the user that performed the action.
4. Action: This field displays a quick reference related to the action that was taken. Recordable actions include:
   1. The Security Log is Now Full
   2. The Event Logging Service Encountered an Error
   3. Event Log was Cleared
   4. Event Log Automatic Backup

WINDOWS DEFENDER

The Windows Defender tables provide relevant information related to Antivirus signature and scan date information. This table displays Windows Defender information ONLY! Customization is required for use with other Antivirus solutions.

LAST SIGNATURE UPDATE

Provided fields include:

1. Last Update: This field displays the date and time of the last Windows Defender signature update.
2. ID: This field displays the correlating event’s Event ID.
3. Details: This field displays the full message that was recorded within the Event Log, to include the signature version information.
4. Definition Age: This field displays the age of the definition, in days, at the time the script is run.

LAST SUCCESSFUL SCAN

Provided fields include:

1. Scan Date: This field displays the date and time of the last Windows Defender scan.
2. ID: This field displays the correlating event’s Event ID.
3. Details: This field displays the full message that was recorded within the Event Log, to include Scan Type (e.g. Antimalware) and Scan Parameters (e.g. Full Scan, Quick Scan, etc).
4. Scan Age: This field displays the age of the scan, in days, at the time the script is run.

DATA TRANSFERS

The Data Transfer tables provide relevant information related to removable media data transfers and print jobs.

TRANSFERS TO REMOVABLE STORAGE

NOTE: Data populated within this table requires the installation of the SecureStrux-developed Data Transfer Auditor (DTAuditor) tool.

Provided fields include:

1. Time: This field displays the date and time that the data transfer was initiated.
2. User: This field displays the account name of the user that initiated the data transfer.
3. Location: This field displays the destination location to which the data transfer was made.
4. Size: This field displays the size of the file(s) that were transferred.

PRINT JOBS

1. Time: This field displays the date and time that the print job was initiated.
2. ID: This field displays the correlating event’s Event ID.
3. Details: This field displays the full message that was recorded within the Event Log, to include the account name of the user that initiated the print job, the name of the file that was printed, the size of the file that was printed, and the number of pages that were printed.
4. Action: This field displays a quick reference related to the action that was taken.

ACCOUNT MANAGEMENT

The Account Management table provides relevant information related to account creation, enablement, disablement, deletion, lockout, password changes, etc. Provided fields include:

1. Time: This field displays the date and time that the account management event was initiated.
2. ID: This field displays the correlating event’s Event ID.
3. Action: This field displays the action that was taken.
4. Subject Account: This field displays the user, service, or computer account that initiated the action.
5. Target Account: This field displays the user, service, or computer account that the action was taken against.

PRIVILEGED USE

The Privileged Use table provides relevant information related to successful and unsuccessful attempts to elevate privileges. Privileged Use events tend to be extremely noisy, so the script has been configured to extract the newest 7 events. The number of events can be adjusted by performing one of the following actions:

1. Remove the -MaxEvents 7 switch within the script: Get-WinEvent -FilterHashtable @{LogName = “Security”; ID = 4688} -MaxEvents 7 -ErrorAction Stop
2. Increase value of the -MaxEvents 7 switch within the script: Get-WinEvent -FilterHashtable @{LogName = “Security”; ID = 4688} -MaxEvents 7 -ErrorAction Stop

Provided fields include:

1. Time: This field displays the date and time that the privilege use event was initiated.
2. ID: This field displays the correlating event’s Event ID.
3. Audit Type: This field displays whether the attempted Privilege Use was successful (Audit Success) or unsuccessful (Audit Failure).
4. Action: This field displays the action that was taken.
5. Creator Account: This field displays the user, computer, or service account that took the action.
6. Process Name: This field displays the process associated with the Privilege Use event.

SYSTEM INFORMATION

SERVICE AND PORT INFORMATION

The System Services and Port Information tables provide relevant information related to installed system services and listening port information.

SYSTEM SERVICES

Provided fields include:

1. Name: This field displays the service’s display name.
2. Service: This field displays the service’s name.
3. Start Type: This field displays the service’s start type (automatic, manual, disabled, etc.)

PORT INFORMATION

Provided fields include:

1. Address: This field displays the local address (0.0.0.0 for listening ports).
2. Port: This field displays local port information.
3. Remote Address: This field displays the address of the remote host.
4. Remote Port: This field displays the remote port number.
5. State: This field displays the state of the connection (listen, established, etc.).
6. Creation Time: This field displays information related to the connection state date and time (e.g. connection x was established at y).