Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Windows Event Analysis - Correlation for Investigation
1. Windows Event Analysis
Correlation for Investigation
Mahendra Pratap Singh
MS Cyber Law & Security, Lead Auditor ISO 27001
Team Whitehat People
Email: mpsinghrathore@yahoo.co.in
LinkedIn: www.linkedin.com/in/mpsingrathore
Facebook: www.facebook.com/mpsinghrathore1
Website: www.mpsinghrathore.com
Twitter: @mpsinghrathore
2. Introduction
Windows Events, giving opportunity to look into Microsoft Windows
machines for troubleshooting as well as for security analysis and
investigation and it is the best and important piece to start with in case if
any security incident occurred. Windows machines generates events for all
the user activities and activities related to applications and OS running on
it.
Ability to find the right Event through Event IDs and linking them with
other event IDs with common parameters, which are generated in course of
same action (User based, application or OS), shows the action performed
and processes executed on machine. Windows event analysis is useful for
Information security incident investigation as well as for audit purpose.
3. Login and Logout Events
Event IDs 528 and 4624 indicates successful login on Windows 2003
XP and Windows 2008/12 respectively. And event IDs 551/4647 are
generated when user logs off whether it’s a network connection or
manually from keyboard. Event IDs 538/4634 generally follow these
event IDs when user logs off from a windows machine.
Logon event ID 528/4624 shows important detail of user ID, domain in
which user logged in, Logon type, logon ID, time of logon, workstation
name, which process was used for authentication and it also shows IP
address and source port when logged in remotely.
4. Login and Logout Events
Other then direct important piece of information given in login event ID,
two main and very important field are Logon ID and Logon Type. Logon
ID is used to correlate to many other event IDs which are generated
during logon session. Using this logon ID, we find user who performed
any particular action during the logon session.
Similarly, Logon Type shows the method or the way user logged in the
Windows machine. Whether its network logon (RDP), interactive logon
(through keyboard), batch etc.
5. Logon Types
Logon Type 2 – Interactive
We see type 2 logons when a user attempts to log on using local
keyboard and screen whether with a domain account or a local account
from the computer’s local SAM. To find the difference between an
attempt to logon with a local or domain account look for the domain or
computer name preceding the user name in the event’s description.
Logon Type 3 – Network
Windows logs logon type 3 in most cases when we access a computer
from elsewhere on the network. One of the most common sources of
logon events with logon type 3 is connections to shared folders or
printers.
6. Logon Types
Logon type 4 – Batch
When Windows executes a scheduled task, the Scheduled Task service
first creates a new logon session for the task so that it can run under
the authority of the user account specified when the task was created.
When this logon attempt occurs, Windows logs it as logon type 4.
Logon type 5 – Service
Similar to Scheduled Tasks, each service is configured to run as a
specified user account. When a service starts, Windows first creates a
logon session for the specified user account which results in a
Logon/Logoff event with logon type 5.
7. Logon Types
Logon type 7 – Unlock
When a user returns to their workstation and unlocks the console,
Windows treats this as a logon and logs the appropriate Logon/Logoff
event but in this case the logon type will be 7 – identifying the event as
a workstation unlock attempt.
Logon type 8 – Network Clear Text
This logon type indicates a network logon like logon type 3 but where
the password was sent over the network in the clear text.
8. Logon Types
Logon type 9 – New Credential
If you use the RunAs command to start a program under a different
user account and specify the /netonly switch, Windows records a
logon/logoff event with logon type 9.
Logon Type 10 – Remote Interactive
When you access a computer through Terminal Services, Remote
Desktop or Remote Assistance windows logs the logon attempt with
logon type 10 which makes it easy to distinguish true console logons
from a remote desktop session
9. Logon Types
Logon type 11 – Cached Interactive
Windows supports a feature called Cached Logons which facilitate
mobile users. When you are not connected to your organization’s
network and attempt to logon to your laptop with a domain account
there’s no domain controller available to the laptop with which to verify
your identity. To solve this problem, Windows caches a hash of the
credentials of the last 10 interactive domain logons. Later when no
domain controller is available, Windows uses these hashes to verify
your identity when you attempt to logon with a domain account.
10. Object Operation (Access, Open, Delete, Handle)
In Windows machines, object access and operations performed on it are
audited according to audit policies enforced on host machines through
Domain Controller if machine is in domain environment. Any particular
file or folder which needs to be monitored or investigated through
Windows event should be enabled for audit through Windows Audit
policies.
If done so, any attempt to access, modify, delete, move will generate
Windows events and through these events we can track user activity
and their operations.
11. Object Operation (Access, Open, Delete, Handle)
560 (4656)– Object Open - logged whenever a program opens an
object.
In Windows, a program first opens an object – requesting certain types
of access (i.e. read and/or write). Windows compares the objects ACL to
the program's access token which identifies the user and groups to
which the user belongs. The open may succeed or fail depending on
this comparison. Regardless, Windows then checks the audit policy of
the object. If the policy enables auditing for the user, type of access
requested and the success/failure result, Windows records generates
event 560.
In the case of failed access attempts, event 560/4656 is the only event
recorded.
12. Object Operation (Access, Open, Delete, Handle)
567 (4657, 4663) – Object Access Attempt-
Logs the actual permissions exercised by the user/program on the
object after opening it. Event 567 asserts that the Accesses obtained for
an object in Event 560 where actually used.
562 (4658) – Handle Closed
After successfully opening an object, a program eventually closes it
which is documented by event 562/4658.
Event 562 helps you determine how long the object was open. For this
event to be useful you must link it back to the earlier event ID 560
(Object Open) with the same handle ID.
13. Object Operation - Correlation
New Handle ID: When a program opens an object it obtains a handle to
the file which it uses in subsequent operations on the object.
We can link an event to other events involving the same session of
access to an object by the program by looking for events with the same
handle ID.
To determine the name of the program used to open an object -
Event 560 AND Event 592 AND Process ID (Common in both Event IDs)
Event 4656 AND Event 4688 AND Process ID (Common in both Event
IDs)
14. Object Operation - Correlation
Object Open and Access Attempted
Event ID 560 AND Event ID 567 AND Handle ID (Common in both
Event IDs)
Event ID 4656 AND Event ID 4663 AND Handle ID (Common in both
Event IDs)
Registry Key Open-Modified-Closed
Event ID 4656 AND Event ID 4657 AND Event ID 4658 (with Same
Handle ID)
15. Sample Object Access Event ID description
This is how an event generated on Object Access shown in event viewer
with detail mentioned.
Subject:
The user and logon session that performed the action.
Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer
name.
Logon ID: is a semi-unique (unique between reboots) number that
identifies the logon session. Logon ID allows you to correlate backwards to
the logon event (4624) as well as with other events logged during the same
logon session
16. Sample Object Access Event ID description contd
Object:
This is the object upon which the action was attempted.
Object Server: always "Security"
Object Type: "File" for file or folder but can be other types of objects
such as Key, SAM, SERVICE OBJECT, etc.
Object Name: The name of the object being accessed
Handle ID: is a semi-unique (unique between reboots) number that
identifies all subsequent audited events while the object is open.
Handle ID allows you to correlate to other events logged (Open 4656,
Access 4663, Close 4658)
Resource Attributes: (Win2012) Resource attributes a new feature
that allows you to classify objects according to any number of things
like project, compliance, security level. It's part of dynamic access
control new to Win2012.
17. Sample Object Access Event ID description contd
Process Information:
Process Name: identifies the program executable that accessed the object.
Process ID: is the process ID specified when the executable started as
logged in 4688.
Access Request Information:
Transaction ID: unknown.
Accesses: These are permissions requested. The correspond to the
permissions available in the Permission Entry dialog for any access control
entry on the object.
Access Reasons: (Win2012) This lists each permission granted and the
reason behind - usually the relevant access control entry (in SDDL format).
18. Sample Object Access Event ID description contd
Access Mask: this is the bitwise equivalent of Accesses.
Access Mask Number Access Mask Action
1537 (0x10000) Delete
1538 Read_CONTROL
1541 synchronize
4416 (0x1) ReadData(or List Directory)
4417 (0x6) WriteData(or Add File) (0x2 on Windows 2008 Server)
4418 (0x4) AppendData (or AddSubdirectory)
4419 ReadEA
4420 WriteEA
4423 ReadAttributes
4424 WriteAttributes
4432 (0x1) Query Key Value
4433 (0x2) Set Key Value
4434 (0x4) Create Sub Key
19. Sample Object Access Event ID description contd
Privileges Used For Access Check:
Lists any privileges requested. The only time I'm aware of this field being
filled in is when you take ownership of an object in which case you'll see
SeTakeOwnershipPrivilege.
Restricted SID Count: unknown.
20. Object Delete – User Search Correlation
To determine the Subject (Person) who deleted the Object:-
Steps:-
Object Deletion alert notification (Event ID 564/4660) will give Process
ID.
Use that Process ID to search objects open Event ID (Event ID
560/4656).
Object Open Event ID (560/4656) will give Primary Logon ID.
Now, search Hostname with Primary logon ID with inverted comma and
Login event ID (528/4624), with AND logical operation (If any event
management tool is used)
It should give Login event on relevant host with login account name.
21. Object Delete – User Search Correlation
Final Query: -
HOSTNAME = <hostname> AND "Logon ID:<logonID>" AND EVENTID =
528/4624
To determine the Object Deleted
To determine the name of the object deleted look for a prior event 560
with the same handle ID.
22. General Search Queries
Exact login events on server
HOSTNAME = <Servername> AND EVENTID = 4624/528 AND
MESSAGE != "Logon Type: 3"
User Login and Logout Duration
EVENTID = 528/4624 (Logon event)EVENTID = 551/4647 (Logout
event) Link with a common Logon ID for both logon and logout events
User X successfully logged on a host:
EVENTID = 4624 AND USERNAME = <username> AND REMOTEHOST
= <ipaddress>
23. General Search Queries
User account was changes
EVENTID = 4738 AND USERNAME = <username>
Attempt was made to change an account's password
EVENTID = 4723 AND USERNAME = <username>
User X failed to log on a host:
EVENTID = 4625 AND USERNAME = <username> AND REMOTEHOST
= <ipaddress>
Check locked user account
EVENTID = 4740
24. General Search Queries
Check Failed authentication for a particular user on a remote host
machine
EVENTID = 4771 AND USERNAME = <username> AND REMOTEHOST
= <ipaddress-remotehost>
Particular Object request by a user
EVENTID = 4656 AND OBJECTNAME = <objectname> AND
HOSTNAME = <full hostname> AND USERNAME = <username>
25. By
Mahendra Pratap Singh
MS Cyber Law & Security, Lead Auditor ISO 27001
Team Whitehat People
Email: mpsinghrathore@yahoo.co.in
LinkedIn: www.linkedin.com/in/mpsingrathore
Facebook: www.facebook.com/mpsinghrathore1
Website: www.mpsinghrathore.com
Twitter: @mpsinghrathore
Content in slides is best of my understanding with the source.
Thank You