312-39 Exam Dumps : Certified SOC Analyst (CSA)

The Windows event that is logged when a user tries to access a “Registry” key is identified by the event ID 4657. This event ID corresponds to the modification of a registry value. Here’s how the process is tracked and logged:

• Detection: The system monitors access to registry keys and values.
• Logging: If a user accesses a registry key, and the key’s audit policy is set to log such events, the event is logged.
• Event ID 4657: This specific event ID is used to denote that a registry value was modified, which includes creation, modification, and deletion of registry values.
• Audit Policy: For the event to be logged, “Set Value” auditing must be enabled in the registry key’s System Access Control List (SACL).

References: The EC-Council SOC Analyst course materials and study guides detail the various Windows event IDs and their significance in monitoring and analyzing security events. Event ID 4657 is specifically covered as part of the curriculum that deals with registry access monitoring and logging1. Additionally, Microsoft’s official documentation provides comprehensive information on this event ID and its role in security auditing2.

The scenario described involves an attacker modifying the URL parameters to alter the price of a product, which is a classic example of a Parameter Tampering attack. This type of attack occurs when an attacker manipulates parameters exchanged between client and server in order to modify application data, such as user credentials, permissions, and price of products, as seen in this case.

The original URL indicates that the product price (debit) is set to $100. The attacker has modified this parameter value to $10 in the modified URL, thus exploiting the logic validation mechanism of the e-commerce website to purchase the product at a lower price. This manipulation of parameters is indicative of a Parameter Tampering attack, which is a form of web-based attack where the properties of a web application are altered to achieve unintended outcomes by the attacker.

References: The EC-Council’s Certified SOC Analyst (CSA) course material covers various types of cyber attacks, including Parameter Tampering. The CSA study guides and resources provide detailed information on how to identify and respond to such attacks, emphasizing the importance of validating and sanitizing all inputs and parameters to prevent exploitation.

To enable Security Auditing in Windows, the Local Group Policy Editor is used. This feature allows administrators to configure security policies and audit settings on a local computer. Here’s how you can enable Security Auditing using the Local Group Policy Editor:

• Press Win + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
• Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
• Here, you will find a list of audit policies that you can configure for both success and failure events.
• By enabling these policies, you can specify which security-related events you want to audit, such as account logon events, object access, policy change, privilege use, and more.

References: The process described above is aligned with the best practices and guidelines provided by Microsoft and other authoritative sources on Windows security auditing, such as:

• Microsoft’s official documentation on Security Auditing1.
• Guides on how to enable Security Auditing in Active Directory environments2.
• Articles detailing the essentials of Windows event log security auditing3. These references are part of the learning resources for the EC-Council SOC Analyst course and provide comprehensive information on the subject.