security | TreaclePumpkin

Logging “Audit Success” in Windows Logs

Posted on February 23, 2022August 26, 2022 by treaclepumpkin

I noticed, while reviewing my logs, that I still get masses of “Audit Success” entries in the Security logs. What I mean is 30+ entries every second, seems an insane number to me, even more so as they were all the 4799 event. I mean so a membership was successfully enumerated? Okay move on, but these entries were now in the tens of thousands.

Much hunting round and I found that since Windows 7, I think, logging of successful events is now on by default. So unless you find the process/Service ID GUID of the services triggering the event and turning them off individually or setting them to “Failure”, which would take weeks trying to remove them you’re stuck, well unless your knowledge of audit policy commands is very good.

So welcome to this Superuser.com article, or rather question and answer, to help you out.

https://superuser.com/questions/1516725/how-to-disable-windows-10-system-log

Sneak peak is to run this command: auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable
To disable successful Credential Manager reads, another frequently logged event, use:
auditpol /set /subcategory:"Credential Validation" /success:disable /failure:enable

The longer version is to read the article and find out how to remove other event types. Either way I’m now down to four or six “Audit Success” events being logged every couple of minutes, and those 4799 events that hid a load of other information are gone now. Woohoo

Enabling WPS on a Billion BiPAC 8900AX

Posted on November 22, 2021January 21, 2022 by treaclepumpkin

By default WPS is disabled on the 8900AX, so if you need to connect a device, TV, printer etc, using WPS then you will have to go into the Configuration menu and enable it.

This can be found under the Configuration->Wireless 2.4G->Security menu.
Select the “Enable” value for the “WPS” combo, under “WPS Setup”.
Ensure that the “Add Client” option is set to “Use STA PIN”.
Make sure that the “PIN” value is blank.
Leave all other options at their default settings.

Once this is done all you need to do, to connect the device using WPS, is to press the WPS button on the router, for around a second, and then perform the equivalent activity on the device you want connected.

Pro Patria UK journal

Posted on February 8, 2020December 12, 2020 by treaclepumpkin

A little bit late but here’s the link to the new publication from Defence UK. This is volume 1.

Remote Desktop: Map a local drive on the remote host

Posted on October 15, 2019July 23, 2021 by treaclepumpkin

If you repeatedly use a Remote Desktop session and that session needs access to files on the machine you’re connecting from then you’d normally set up a network drive, possibly mapped as follows:

net use z: \\yourmachine\c$ /persistent:Yes

But, depending on how Draconian your network security is then mapping folders on user machines may actually be blocked. Strange one as this ability is mostly essential when working on a remote machine, especially if a developer. Fortunately you can map using the built in sharing of RDP. Same format as earlier just the machine name changes and effectively becomes a constant, so the mapping is now:

net use z: \\tsclient\c /persistent:Yes

And job done, until the next group policy is introduced blocking that…

Windows event log swamped with 5152 events?

Posted on June 16, 2014August 26, 2022 by treaclepumpkin

These events are generated by the Windows firewall when packets are blocked. Possibly as a result of Peerblock doing it’s thing as well, I need to verify that though.

Open an elevated command box and enter the following command:

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable