Indicators of Attack Installation Script
After you download and run the Indicators of Attack (IoA) installation file, the IoA script creates a new Group Policy Object (GPO) named by default Tenable.ad in the Active Directory (AD) database. The system links the Tenable Identity Exposure GPO only to the Domain Controllers' Organizational Unit (OU) that contains all domain controllers (DCs). The new policy automatically replicates between all DCs using the GPO mechanism.
Installation Script (Tenable Identity Exposure v. 3.29 and later)
The GPO contains PowerShell scripts that all DCs execute locally to collect data of interest, as follows:
-
The script configures an event logs listener on each domain controller using Windows EvtSubscribe API. The script makes a subscription for each necessary event log channel, as specified in the TenableADEventsListenerConfiguration.json configuration file, by submitting a request and a callback triggered by EvtSubscribe for each matching event log.
-
The event listener receives event logs and buffers them before periodically flushing them to a file stored in a network share called Sysvol. Each DC flushes to a single Sysvol file that stores collected events and replicates it to other domain controllers.
-
The script also creates a WMI consumer to ensure that this mechanism is persistent by re-registering the event subscriber when a DC restarts. WMI notifies the consumer each time a DC restarts to allow the consumer to register the event listener again.
-
At this point, Distributed File System (DFS) replication occurs and automatically synchronizes files between domain controllers. Tenable Identity Exposure's platform listens for incoming DFS replication traffic and uses this data to gather events, run a security analysis, and then generate IoA alerts.
Local Data Retrieval
Windows event logs record all the events that occur in the operating system and its applications. Event logs rely on a framework of components integrated in Windows.
Using the EvtSubscribe API, the Tenable Identity Exposure IoA events log listener collects only useful event logs data segments in the form of insertion strings that it extracts from the event logs. Tenable Identity Exposure writes these insertion strings in a file stored in the Sysvol folder and replicates them via the DFS engine. This allows Tenable Identity Exposure to gather just the right amount of security data from event logs to run a security analysis and detect attacks.
IoA Script Summary
The following table gives an overview of the Tenable Identity Exposure script deployment.
| Steps | Description | Component Involved | Technical Action |
|---|---|---|---|
| 1 | Register Tenable Identity Exposure's IoA deployment | GPO Management | Creates the Tenable.ad (default name) GPO and links it to the Domain Controllers OU. |
| 2 | Start Tenable Identity Exposure's IoA deployment on DC | DC local system | Each DC detects the new GPO to apply, depending on the AD replication and Group Policy refresh intervals. |
| 3 | Control Advanced Logging Policy state | DC local system | The system activates the advanced logging policy by setting the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy. |
| 4 | Update Local Logging policy | DC local system | Depending on the IoAs to detect, Tenable Identity Exposure dynamically generates and activates specific audit policies. This policy does not deactivate any existing logging policy — it only enriches them if necessary. If it detects a conflict, the GPO installation script stops and shows the message "Tenable Identity Exposure requires the audit policy '...' but the current AD configuration prevents its usage." |
| 5 | Register an event listener and a WMI producer | DC local system | The system registers and executes the script contained in the GPO. This script runs a PowerShell process to subscribe to event logs using EvtSubscribe API and to create an instance of ActiveScriptEventConsumer for persistence purposes. Tenable Identity Exposure uses these objects to receive and store event logs contents. |
| 6 | Collect event logs messages | DC local system |
Tenable Identity Exposure captures relevant event log messages, buffers them periodically, and saves them to files (one per DC) stored in the Sysvol folder associated to the Tenable Identity Exposure GPO (...{GPO_GUID}\Machine\IOA<DC_name>). |
| 7 | Replicate files to the declared DC SYSVOL folder | Active Directory | Using DFS, the AD replicates files across the domain, and specifically in the declared DC. The Tenable Identity Exposure platform gets notification for each file and reads their content. |
| 8 | Overwrite these files | Active Directory | Each DC automatically and continuously writes the periodically buffered events in the same file. |
Installation Script (Tenable Identity Exposure v. 3.19.11 and earlier)
The GPO contains PowerShell scripts that all DCs execute locally to collect data of interest, as follows:
-
The scripts configure an event watcher and a Windows Management Instrumentation (WMI) Producer/Consumer in the machine's memory. WMI is a Windows component that provides you with information about the status of local or remote computer systems.
-
The event watcher receives event logs and periodically buffers them before flushing them to a file stored in a network share called Sysvol. Each DC flushes to a single Sysvol file that stores collected events and replicates it to other domain controllers.
-
The WMI consumer makes this mechanism persistent by registering again the event watcher when a DC restarts. The producer wakes up and notifies the consumer each time a DC restarts. As a result, the consumer registers the event watcher again.
-
At this point, Distributed File System or DFS replication occurs and automatically synchronizes files between domain controllers. Tenable Identity Exposure's platform listens for incoming DFS replication traffic and uses this data to gather events, run a security analysis, and then generate IoA alerts.
Local Data Retrieval
Windows event logs record all the events that occur in the operating system and its applications. Event logs called Event Tracing for Windows (ETW) rely on a framework of components integrated in Windows. ETW is in the kernel and produces data stored locally on DCs and not replicated by AD protocols.
Using the WMI engine, Tenable Identity Exposure collects only useful ETW data segments in the form of insertion strings that it extracts from the event logs. Tenable Identity Exposure writes these insertion strings in a file stored in the Sysvol folder and replicates them via the DFS engine. This allows Tenable Identity Exposure to gather just the right amount of security data from ETW to run a security analysis and detect attacks.
IoA Script Summary
The following table gives an overview of the Tenable Identity Exposure script deployment.
| Steps | Description | Component Involved | Technical Action |
|---|---|---|---|
| 1 | Register Tenable Identity Exposure's IoA deployment | GPO Management | Creates the Tenable.ad (default name) GPO and links it to the Domain Controllers OU. |
| 2 | Start Tenable Identity Exposure's IoA deployment on DC | DC local system | Each DC detects the new GPO to apply, depending on the AD replication and Group Policy refresh intervals. |
| 3 | Register an event watcher and a WMI producer/consumer | DC local system | The system registers and executes an Immediate Task. This task runs a PowerShell process to create instances of the following classes: ManagementEventWatcher and ActiveScriptEventConsumer. Tenable Identity Exposure uses these objects to receive and store ETW messages. |
| 4 | Control Advanced Logging Policy state | DC local system | The system activates the advanced logging policy by setting the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy. |
| 5 | Update Local Logging policy | DC local system | Depending on the IoAs to detect, Tenable Identity Exposure dynamically generates and activates an advanced logging policy. This policy does not deactivate any existing logging policy — it only enriches them if necessary. If it detects a conflict, the GPO installation script stops and shows the message "Tenable Identity Exposure requires the audit policy '...' but the current AD configuration prevents its usage." |
| 6 | Collect ETW messages | DC local system |
Tenable Identity Exposure captures relevant ETW messages, buffers them periodically, and saves them to files (one per DC) stored in the Sysvol folder associated to the Tenable Identity Exposure GPO (...{GPO_GUID}\Machine\IOA<DC_name>). |
| 7 | Replicate files to the Tenable Identity Exposure platform | Active Directory | Using DFS, the AD replicates files across the domain. The Tenable Identity Exposure platform also receives the files. |
| 8 | Overwrite these files | Active Directory | Each DC automatically and continuously writes the periodically buffered events in the same file. |
See also