SlideShare une entreprise Scribd logo

Windows Event Analysis - Correlation for Investigation

Télécharger en tant que PPTX, PDF
Mahendra Pratap Singh
Mahendra Pratap Singh

Windows event analysis and correlation between events.

Technologie
1  sur  25
Windows Event Analysis Correlation for Investigation Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO 27001 Team Whitehat People Email: mpsinghrathore@yahoo.co.in LinkedIn: www.linkedin.com/in/mpsingrathore Facebook: www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com Twitter: @mpsinghrathore
Introduction Windows Events, giving opportunity to look into Microsoft Windows machines for troubleshooting as well as for security analysis and investigation and it is the best and important piece to start with in case if any security incident occurred. Windows machines generates events for all the user activities and activities related to applications and OS running on it. Ability to find the right Event through Event IDs and linking them with other event IDs with common parameters, which are generated in course of same action (User based, application or OS), shows the action performed and processes executed on machine. Windows event analysis is useful for Information security incident investigation as well as for audit purpose.
Login and Logout Events Event IDs 528 and 4624 indicates successful login on Windows 2003 XP and Windows 2008/12 respectively. And event IDs 551/4647 are generated when user logs off whether it’s a network connection or manually from keyboard. Event IDs 538/4634 generally follow these event IDs when user logs off from a windows machine. Logon event ID 528/4624 shows important detail of user ID, domain in which user logged in, Logon type, logon ID, time of logon, workstation name, which process was used for authentication and it also shows IP address and source port when logged in remotely.
Login and Logout Events Other then direct important piece of information given in login event ID, two main and very important field are Logon ID and Logon Type. Logon ID is used to correlate to many other event IDs which are generated during logon session. Using this logon ID, we find user who performed any particular action during the logon session. Similarly, Logon Type shows the method or the way user logged in the Windows machine. Whether its network logon (RDP), interactive logon (through keyboard), batch etc.
Logon Types Logon Type 2 – Interactive We see type 2 logons when a user attempts to log on using local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To find the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Logon Type 3 – Network Windows logs logon type 3 in most cases when we access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.
Logon Types Logon type 4 – Batch When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Logon type 5 – Service Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5.
Logon Types Logon type 7 – Unlock When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Logon type 8 – Network Clear Text This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text.
Logon Types Logon type 9 – New Credential If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. Logon Type 10 – Remote Interactive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session
Logon Types Logon type 11 – Cached Interactive Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.
Object Operation (Access, Open, Delete, Handle) In Windows machines, object access and operations performed on it are audited according to audit policies enforced on host machines through Domain Controller if machine is in domain environment. Any particular file or folder which needs to be monitored or investigated through Windows event should be enabled for audit through Windows Audit policies. If done so, any attempt to access, modify, delete, move will generate Windows events and through these events we can track user activity and their operations.
Object Operation (Access, Open, Delete, Handle) 560 (4656)– Object Open - logged whenever a program opens an object. In Windows, a program first opens an object – requesting certain types of access (i.e. read and/or write). Windows compares the objects ACL to the program's access token which identifies the user and groups to which the user belongs. The open may succeed or fail depending on this comparison. Regardless, Windows then checks the audit policy of the object. If the policy enables auditing for the user, type of access requested and the success/failure result, Windows records generates event 560. In the case of failed access attempts, event 560/4656 is the only event recorded.
Object Operation (Access, Open, Delete, Handle) 567 (4657, 4663) – Object Access Attempt- Logs the actual permissions exercised by the user/program on the object after opening it. Event 567 asserts that the Accesses obtained for an object in Event 560 where actually used. 562 (4658) – Handle Closed After successfully opening an object, a program eventually closes it which is documented by event 562/4658. Event 562 helps you determine how long the object was open. For this event to be useful you must link it back to the earlier event ID 560 (Object Open) with the same handle ID.
Object Operation - Correlation New Handle ID: When a program opens an object it obtains a handle to the file which it uses in subsequent operations on the object. We can link an event to other events involving the same session of access to an object by the program by looking for events with the same handle ID. To determine the name of the program used to open an object - Event 560 AND Event 592 AND Process ID (Common in both Event IDs) Event 4656 AND Event 4688 AND Process ID (Common in both Event IDs)
Object Operation - Correlation Object Open and Access Attempted Event ID 560 AND Event ID 567 AND Handle ID (Common in both Event IDs) Event ID 4656 AND Event ID 4663 AND Handle ID (Common in both Event IDs) Registry Key Open-Modified-Closed Event ID 4656 AND Event ID 4657 AND Event ID 4658 (with Same Handle ID)
Sample Object Access Event ID description This is how an event generated on Object Access shown in event viewer with detail mentioned. Subject: The user and logon session that performed the action. Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain or - in the case of local accounts - computer name. Logon ID: is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session
Sample Object Access Event ID description contd Object: This is the object upon which the action was attempted. Object Server: always "Security" Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc. Object Name: The name of the object being accessed Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658) Resource Attributes: (Win2012) Resource attributes a new feature that allows you to classify objects according to any number of things like project, compliance, security level. It's part of dynamic access control new to Win2012.
Sample Object Access Event ID description contd Process Information: Process Name: identifies the program executable that accessed the object. Process ID: is the process ID specified when the executable started as logged in 4688. Access Request Information: Transaction ID: unknown. Accesses: These are permissions requested. The correspond to the permissions available in the Permission Entry dialog for any access control entry on the object. Access Reasons: (Win2012) This lists each permission granted and the reason behind - usually the relevant access control entry (in SDDL format).
Sample Object Access Event ID description contd Access Mask: this is the bitwise equivalent of Accesses. Access Mask Number Access Mask Action 1537 (0x10000) Delete 1538 Read_CONTROL 1541 synchronize 4416 (0x1) ReadData(or List Directory) 4417 (0x6) WriteData(or Add File) (0x2 on Windows 2008 Server) 4418 (0x4) AppendData (or AddSubdirectory) 4419 ReadEA 4420 WriteEA 4423 ReadAttributes 4424 WriteAttributes 4432 (0x1) Query Key Value 4433 (0x2) Set Key Value 4434 (0x4) Create Sub Key
Sample Object Access Event ID description contd Privileges Used For Access Check: Lists any privileges requested. The only time I'm aware of this field being filled in is when you take ownership of an object in which case you'll see SeTakeOwnershipPrivilege. Restricted SID Count: unknown.
Object Delete – User Search Correlation To determine the Subject (Person) who deleted the Object:- Steps:-  Object Deletion alert notification (Event ID 564/4660) will give Process ID.  Use that Process ID to search objects open Event ID (Event ID 560/4656).  Object Open Event ID (560/4656) will give Primary Logon ID.  Now, search Hostname with Primary logon ID with inverted comma and Login event ID (528/4624), with AND logical operation (If any event management tool is used)  It should give Login event on relevant host with login account name.
Object Delete – User Search Correlation Final Query: - HOSTNAME = <hostname> AND "Logon ID:<logonID>" AND EVENTID = 528/4624 To determine the Object Deleted To determine the name of the object deleted look for a prior event 560 with the same handle ID.
General Search Queries  Exact login events on server HOSTNAME = <Servername> AND EVENTID = 4624/528 AND MESSAGE != "Logon Type: 3"  User Login and Logout Duration EVENTID = 528/4624 (Logon event)EVENTID = 551/4647 (Logout event) Link with a common Logon ID for both logon and logout events  User X successfully logged on a host: EVENTID = 4624 AND USERNAME = <username> AND REMOTEHOST = <ipaddress>
General Search Queries  User account was changes EVENTID = 4738 AND USERNAME = <username>  Attempt was made to change an account's password EVENTID = 4723 AND USERNAME = <username>  User X failed to log on a host: EVENTID = 4625 AND USERNAME = <username> AND REMOTEHOST = <ipaddress>  Check locked user account EVENTID = 4740
General Search Queries  Check Failed authentication for a particular user on a remote host machine EVENTID = 4771 AND USERNAME = <username> AND REMOTEHOST = <ipaddress-remotehost>  Particular Object request by a user EVENTID = 4656 AND OBJECTNAME = <objectname> AND HOSTNAME = <full hostname> AND USERNAME = <username>
By Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO 27001 Team Whitehat People Email: mpsinghrathore@yahoo.co.in LinkedIn: www.linkedin.com/in/mpsingrathore Facebook: www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com Twitter: @mpsinghrathore Content in slides is best of my understanding with the source. Thank You

Recommandé

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 

Recommandé

The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burpTomasz Fajks
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Phishing Incident Response Playbook
Phishing Incident Response PlaybookPhishing Incident Response Playbook
Phishing Incident Response PlaybookNaushad CEH, CHFI, MTA, ITIL
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&EOwais Ahmad
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Best Practices for Log & Event Management
Best Practices for Log & Event ManagementBest Practices for Log & Event Management
Best Practices for Log & Event ManagementSolarWinds
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 

Contenu connexe

Tendances

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&EOwais Ahmad
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 

Tendances (20)

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Phishing Incident Response Playbook
Phishing Incident Response PlaybookPhishing Incident Response Playbook
Phishing Incident Response Playbook
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 

En vedette

Best Practices for Log & Event Management
Best Practices for Log & Event ManagementBest Practices for Log & Event Management
Best Practices for Log & Event ManagementSolarWinds
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Introduction to the OSI 7 layer model and Data Link Layer
Introduction to the OSI 7 layer model and Data Link LayerIntroduction to the OSI 7 layer model and Data Link Layer
Introduction to the OSI 7 layer model and Data Link LayerVNIT-ACM Student Chapter
 
Physical Layer of ISO-OSI model and Devices
Physical Layer of ISO-OSI model and DevicesPhysical Layer of ISO-OSI model and Devices
Physical Layer of ISO-OSI model and DevicesShahid Khan
 
Pearson Correlation, Spearman Correlation &Linear Regression
Pearson Correlation, Spearman Correlation &Linear RegressionPearson Correlation, Spearman Correlation &Linear Regression
Pearson Correlation, Spearman Correlation &Linear RegressionAzmi Mohd Tamil
 

En vedette (6)

Best Practices for Log & Event Management
Best Practices for Log & Event ManagementBest Practices for Log & Event Management
Best Practices for Log & Event Management
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Introduction to the OSI 7 layer model and Data Link Layer
Introduction to the OSI 7 layer model and Data Link LayerIntroduction to the OSI 7 layer model and Data Link Layer
Introduction to the OSI 7 layer model and Data Link Layer
 
Physical Layer of ISO-OSI model and Devices
Physical Layer of ISO-OSI model and DevicesPhysical Layer of ISO-OSI model and Devices
Physical Layer of ISO-OSI model and Devices
 
Pearson Correlation, Spearman Correlation &Linear Regression
Pearson Correlation, Spearman Correlation &Linear RegressionPearson Correlation, Spearman Correlation &Linear Regression
Pearson Correlation, Spearman Correlation &Linear Regression
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Similaire à Windows Event Analysis - Correlation for Investigation

Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating SystemMeghaj Mallick
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timePortcullis Computer Security
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkIJERA Editor
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
My first Operating System Presentation
My first Operating System PresentationMy first Operating System Presentation
My first Operating System PresentationRida Bilgrami
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfableelectronics
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfsagaraccura
 
Vista Presentation
Vista PresentationVista Presentation
Vista Presentationsdrayin
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfChristopher Doman
 
Unicenter Autosys Job Management
Unicenter Autosys Job ManagementUnicenter Autosys Job Management
Unicenter Autosys Job ManagementVenkata Duvvuri
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfadinathfashion1
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMIJNSA Journal
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
Observe It Presentation
Observe It PresentationObserve It Presentation
Observe It Presentationtsteh
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 

Similaire à Windows Event Analysis - Correlation for Investigation (20)

Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating System
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-time
 
Eventlog
EventlogEventlog
Eventlog
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blog
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
My first Operating System Presentation
My first Operating System PresentationMy first Operating System Presentation
My first Operating System Presentation
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdf
 
Vista Presentation
Vista PresentationVista Presentation
Vista Presentation
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
 
Unicenter Autosys Job Management
Unicenter Autosys Job ManagementUnicenter Autosys Job Management
Unicenter Autosys Job Management
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elk
 
Observe It Presentation
Observe It PresentationObserve It Presentation
Observe It Presentation
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Windows Event Analysis - Correlation for Investigation

  • 1. Windows Event Analysis Correlation for Investigation Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO 27001 Team Whitehat People Email: mpsinghrathore@yahoo.co.in LinkedIn: www.linkedin.com/in/mpsingrathore Facebook: www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com Twitter: @mpsinghrathore
  • 2. Introduction Windows Events, giving opportunity to look into Microsoft Windows machines for troubleshooting as well as for security analysis and investigation and it is the best and important piece to start with in case if any security incident occurred. Windows machines generates events for all the user activities and activities related to applications and OS running on it. Ability to find the right Event through Event IDs and linking them with other event IDs with common parameters, which are generated in course of same action (User based, application or OS), shows the action performed and processes executed on machine. Windows event analysis is useful for Information security incident investigation as well as for audit purpose.
  • 3. Login and Logout Events Event IDs 528 and 4624 indicates successful login on Windows 2003 XP and Windows 2008/12 respectively. And event IDs 551/4647 are generated when user logs off whether it’s a network connection or manually from keyboard. Event IDs 538/4634 generally follow these event IDs when user logs off from a windows machine. Logon event ID 528/4624 shows important detail of user ID, domain in which user logged in, Logon type, logon ID, time of logon, workstation name, which process was used for authentication and it also shows IP address and source port when logged in remotely.
  • 4. Login and Logout Events Other then direct important piece of information given in login event ID, two main and very important field are Logon ID and Logon Type. Logon ID is used to correlate to many other event IDs which are generated during logon session. Using this logon ID, we find user who performed any particular action during the logon session. Similarly, Logon Type shows the method or the way user logged in the Windows machine. Whether its network logon (RDP), interactive logon (through keyboard), batch etc.
  • 5. Logon Types Logon Type 2 – Interactive We see type 2 logons when a user attempts to log on using local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To find the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Logon Type 3 – Network Windows logs logon type 3 in most cases when we access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.
  • 6. Logon Types Logon type 4 – Batch When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Logon type 5 – Service Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5.
  • 7. Logon Types Logon type 7 – Unlock When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Logon type 8 – Network Clear Text This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text.
  • 8. Logon Types Logon type 9 – New Credential If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. Logon Type 10 – Remote Interactive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session
  • 9. Logon Types Logon type 11 – Cached Interactive Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.
  • 10. Object Operation (Access, Open, Delete, Handle) In Windows machines, object access and operations performed on it are audited according to audit policies enforced on host machines through Domain Controller if machine is in domain environment. Any particular file or folder which needs to be monitored or investigated through Windows event should be enabled for audit through Windows Audit policies. If done so, any attempt to access, modify, delete, move will generate Windows events and through these events we can track user activity and their operations.
  • 11. Object Operation (Access, Open, Delete, Handle) 560 (4656)– Object Open - logged whenever a program opens an object. In Windows, a program first opens an object – requesting certain types of access (i.e. read and/or write). Windows compares the objects ACL to the program's access token which identifies the user and groups to which the user belongs. The open may succeed or fail depending on this comparison. Regardless, Windows then checks the audit policy of the object. If the policy enables auditing for the user, type of access requested and the success/failure result, Windows records generates event 560. In the case of failed access attempts, event 560/4656 is the only event recorded.
  • 12. Object Operation (Access, Open, Delete, Handle) 567 (4657, 4663) – Object Access Attempt- Logs the actual permissions exercised by the user/program on the object after opening it. Event 567 asserts that the Accesses obtained for an object in Event 560 where actually used. 562 (4658) – Handle Closed After successfully opening an object, a program eventually closes it which is documented by event 562/4658. Event 562 helps you determine how long the object was open. For this event to be useful you must link it back to the earlier event ID 560 (Object Open) with the same handle ID.
  • 13. Object Operation - Correlation New Handle ID: When a program opens an object it obtains a handle to the file which it uses in subsequent operations on the object. We can link an event to other events involving the same session of access to an object by the program by looking for events with the same handle ID. To determine the name of the program used to open an object - Event 560 AND Event 592 AND Process ID (Common in both Event IDs) Event 4656 AND Event 4688 AND Process ID (Common in both Event IDs)
  • 14. Object Operation - Correlation Object Open and Access Attempted Event ID 560 AND Event ID 567 AND Handle ID (Common in both Event IDs) Event ID 4656 AND Event ID 4663 AND Handle ID (Common in both Event IDs) Registry Key Open-Modified-Closed Event ID 4656 AND Event ID 4657 AND Event ID 4658 (with Same Handle ID)
  • 15. Sample Object Access Event ID description This is how an event generated on Object Access shown in event viewer with detail mentioned. Subject: The user and logon session that performed the action. Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain or - in the case of local accounts - computer name. Logon ID: is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session
  • 16. Sample Object Access Event ID description contd Object: This is the object upon which the action was attempted. Object Server: always "Security" Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc. Object Name: The name of the object being accessed Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658) Resource Attributes: (Win2012) Resource attributes a new feature that allows you to classify objects according to any number of things like project, compliance, security level. It's part of dynamic access control new to Win2012.
  • 17. Sample Object Access Event ID description contd Process Information: Process Name: identifies the program executable that accessed the object. Process ID: is the process ID specified when the executable started as logged in 4688. Access Request Information: Transaction ID: unknown. Accesses: These are permissions requested. The correspond to the permissions available in the Permission Entry dialog for any access control entry on the object. Access Reasons: (Win2012) This lists each permission granted and the reason behind - usually the relevant access control entry (in SDDL format).
  • 18. Sample Object Access Event ID description contd Access Mask: this is the bitwise equivalent of Accesses. Access Mask Number Access Mask Action 1537 (0x10000) Delete 1538 Read_CONTROL 1541 synchronize 4416 (0x1) ReadData(or List Directory) 4417 (0x6) WriteData(or Add File) (0x2 on Windows 2008 Server) 4418 (0x4) AppendData (or AddSubdirectory) 4419 ReadEA 4420 WriteEA 4423 ReadAttributes 4424 WriteAttributes 4432 (0x1) Query Key Value 4433 (0x2) Set Key Value 4434 (0x4) Create Sub Key
  • 19. Sample Object Access Event ID description contd Privileges Used For Access Check: Lists any privileges requested. The only time I'm aware of this field being filled in is when you take ownership of an object in which case you'll see SeTakeOwnershipPrivilege. Restricted SID Count: unknown.
  • 20. Object Delete – User Search Correlation To determine the Subject (Person) who deleted the Object:- Steps:-  Object Deletion alert notification (Event ID 564/4660) will give Process ID.  Use that Process ID to search objects open Event ID (Event ID 560/4656).  Object Open Event ID (560/4656) will give Primary Logon ID.  Now, search Hostname with Primary logon ID with inverted comma and Login event ID (528/4624), with AND logical operation (If any event management tool is used)  It should give Login event on relevant host with login account name.
  • 21. Object Delete – User Search Correlation Final Query: - HOSTNAME = <hostname> AND "Logon ID:<logonID>" AND EVENTID = 528/4624 To determine the Object Deleted To determine the name of the object deleted look for a prior event 560 with the same handle ID.
  • 22. General Search Queries  Exact login events on server HOSTNAME = <Servername> AND EVENTID = 4624/528 AND MESSAGE != "Logon Type: 3"  User Login and Logout Duration EVENTID = 528/4624 (Logon event)EVENTID = 551/4647 (Logout event) Link with a common Logon ID for both logon and logout events  User X successfully logged on a host: EVENTID = 4624 AND USERNAME = <username> AND REMOTEHOST = <ipaddress>
  • 23. General Search Queries  User account was changes EVENTID = 4738 AND USERNAME = <username>  Attempt was made to change an account's password EVENTID = 4723 AND USERNAME = <username>  User X failed to log on a host: EVENTID = 4625 AND USERNAME = <username> AND REMOTEHOST = <ipaddress>  Check locked user account EVENTID = 4740
  • 24. General Search Queries  Check Failed authentication for a particular user on a remote host machine EVENTID = 4771 AND USERNAME = <username> AND REMOTEHOST = <ipaddress-remotehost>  Particular Object request by a user EVENTID = 4656 AND OBJECTNAME = <objectname> AND HOSTNAME = <full hostname> AND USERNAME = <username>
  • 25. By Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO 27001 Team Whitehat People Email: mpsinghrathore@yahoo.co.in LinkedIn: www.linkedin.com/in/mpsingrathore Facebook: www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com Twitter: @mpsinghrathore Content in slides is best of my understanding with the source. Thank You