Change Auditor does not capture AD events, or the agent fails to start, after applying the Windows Security Baseline or enabling the Attack Surface Reduction Rule (4235389)

Change Auditor does not capture AD events, or the agent fails to start, after applying the Windows Security Baseline or enabling the Attack Surface Reduction Rule

After applying a Windows Security Baseline to the Domain Controllers, or after enabling the Attack Surface Reduction Rule, "Block credential stealing from the Windows local security authority subsystem", GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, Change Auditor no longer audits AD events and in agents 7.0.4 and later, the agent will fail to start. This will also impact agents installed on member servers resulting in the agent failing to start.

An error similar to the following is logged in the ChangeAuditor.AgentLog.nptlog:

The Attack Surface Reduction Rule "Block credential stealing from the Windows local security authority subsystem" (which is created by some Windows Security Baselines and will be enabled by default by Microsoft in the near future) prevents the agent from being able to access LSASS and inject dlls into the LSASS process. Agents installed on member servers are also impacted and will require the same workarounds as per the Resolution section.

Either disable the Attack Surface Reduction Rule, or add an exception for the Change Auditor agent, on any machine (regardless if it is a DC or member server) that has the CA agent installed.

To add an exception:

1. Open an elevated Powershell command prompt on the server
2. Run the command: Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\Quest\ChangeAuditor\Agent\NPSrvHost.exe"
   
   Note: This exception will apply to any Attack Surface Reduction Rule enabled

To disable the rule completely:

NOTE: There are multiple ways to configure ASR rules. The steps below are for configuring using the local group policy. Please see the following article for all the possible ways to configure ASR rules - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#group-policy

1. Open gpedit.msc on the server
2. Navigate to Computer Configuration | Administrative Templates |  Windows components | Windows Defender Antivirus | Windows Defender Exploit Guard | Attack Surface Reduction
   
   OR
   
   Navigate to Computer Configuration | Administrative Templates |  Windows components | Microsoft Defender Antivirus | Microsoft Defender Exploit Guard | Attack surface reduction
3. Double click Configure Attack surface reduction rules
4. Click Show
5. Navigate to 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
6. Set the value to 0 and click OK
7. Click Apply and OK
8. Reboot the DC

NOTE:  In 7.0.4 and above the agent is stopped versus not recording AD events if the AD module cannot load.

You can check Windows Defender and disable it as well.

NOTE: If you are unable to find the paths referenced above, or are having any other issues with the configuration of ASR rules, please contact Microsoft. 

Warnings similar to the following may also be logged in the Operational event log for Windows Defender: Windows Defender Antivirus has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Detection time: 2019-10-02T10:48:00.211Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\lsass.exe Process Name: C:\Program Files\Quest\ChangeAuditor\Agent\NPSrvHost.exe Signature Version: 1.303.624.0 Engine Version: 1.1.16400.2 Product Version: 4.18.1908.7