Tracking Account Usage on Domain Environment
Operating Systems:
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Domain controller successfully authenticates a user via NTLM Protocol:
4776: The domain controller attempted to validate the credentials for an account
Logon Account: name of the account
Source Workstation: computer name where logon attempt originated
Error Code:
C0000064 - user name does not exist
C000006A - user name is correct but the password is wrong
C0000234 - user is currently locked out
C0000072 - account is currently disabled
C000006F - user tried to logon outside his day of week or time of day restrictions
C0000070 - workstation restriction
C0000193 - account expiration
C0000071 - expired password
C0000224 - user is required to change password at next logon
C0000225 - evidently a bug in Windows and not a risk
Domain controller successfully authenticates a user via Kerberos Protocol:
4768: A Kerberos authentication ticket (TGT) was requested (Successful logon)
Account Name: logon name of the account that just authenticated
Client Address: IP address where user is present
4771: Kerberos pre-authentication failed
Account Name: logon name of the account that just authenticated
Client Address: IP address where user is present
Failure Code: 0x18 - Pre-authentication information was invalid
4769: A Kerberos service ticket was requested(Access to server resources)
Account Name: logon name of the account that just requested the ticket
Client Address: IP address where user is present
Service Name: the account name of the computer or service the user is requesting the ticket for
My Digital Forensics - Malaysia ;)
Digital Forensics and Threat Hunting Resources.
Monday, April 16, 2018
Tracking Account Usage on Local Window System
Tracking account usage for known compromised accounts.
Event IDs:
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials (Runas)
4672: Account logon with superuser right (Administrator)
4720: A user account was created
4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station
Event IDs:
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials (Runas)
4672: Account logon with superuser right (Administrator)
4720: A user account was created
4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station
Wednesday, October 19, 2016
Windows security audit events: This spreadsheet details the security audit events for Windows
Note to my self:
You can use Windows security and system logs to record and store collected security events so that you can track key system and network activities to monitor potentially harmful behaviors and to mitigate those risks. You customize system log events by configuring auditing based on categories of security events such as changes to user account and resource permissions, failed attempts for user logon, failed attempts to access resources, and attempts to modify system files. The information in this download can help you analyze the data included in event log data.
https://www.microsoft.com/en-us/download/details.aspx?id=50034
https://download.microsoft.com/download/8/E/1/8E11AD26-98A1-4EE3-9F7F-1DB4EB18BADF/WindowsSecurityAuditEvents.xlsx
Friday, April 24, 2015
PowerShell: Offline Windows Event Logs Analysis - Part 1
1. You already have the raw Windows Event log copy out from the Server using Forensics tools.
Default Event Log Location:
Windows Server 2003 Operating System : %WinDir%\System32\Config
Windwos Server 2008, 2012 R2 Operating System : %WinDir%\System32\Winevt\Logs
2. Repair the Event log!
If the file was not properly closed, the four fields will not have been synched and the file status byte will be odd. When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt. This frequently occurs in forensics when you pull the plug or do a live acquisition. EnCase doesn't rely upon that API and will parse them without repair. If you wish to use them in a viewer reliant upon the event log API, you'll need to repair the header.
To repair the event log file, you simply need to copy the four fields from the floating footer into their corresponding location in the header and then set the file status byte to any even value. Save and you are done. It's really that simple. (http://www.stevebunting.org/udpd4n6/forensics/repaireventlogfile.htm)
Automated Windows Event Log Repair Tool:
http://www.cwflynt.com/logFixer
http://murphey.org/fixevt.html
3. Extracting the XML event log information from save Windows event log
Note: Please run the command line by line so that you can see what it does and the output result.
# Analyzing one event message from event log
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name. Here we assigned the value to "$Event" variable.
PS C:\Users\mimi> $Event = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624} -MaxEvents 1
# We then view the event properties.
PS C:\Users\mimi> $Event | Format-List *
# Now we can view the array of message body values, however the property names are missing.
PS C:\Users\mimi> $Event.Properties
# Now we convert the event to XML and assign the value to "$eventXML" variable.
PS C:\Users\mimi> $eventXML = [xml]$Event.ToXml()
# Walla...now we get all the XML information from the message.
PS C:\Users\mimi> $eventXML.Event.EventData.Data
# Later we have to index each data element to access it.
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].name
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].'#text'
-----------------------------------------------------------------------------------------
Full running code:
1. Change the "Path" location to your Windows Event Log and save below Powershell code as "Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1"
-----------BEGIN-----------
#Extract Security.evtx event id 4624 - Logon Activities
#------------------------------------------------------
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name.
$Events = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624}
# Assign the Output file to store the output result.
$OutputFile = "D:\Sample_Event_Log\Win7\Security_Evtx_Event_ID_4624_output.csv"
# Parse out the event message data
ForEach ($Event in $Events)
{
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
{
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
# View the results with your favorite output method
#$Events | Select-Object * | Out-GridView
$Events | Select-Object TimeCreated,MachineName,LogName,Id,SubjectLogonId,TargetUserName,TargetDomainName,WorkstationName,IpAddress,LogonType | Export-Csv $OutputFile -NoType
-----------END-----------
Run it
PS C:\Users\mimi> .\Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1
References:
https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors/
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
https://gallery.technet.microsoft.com/scriptcenter/Log-Parser-to-Identify-8aac36bd
Default Event Log Location:
Windows Server 2003 Operating System : %WinDir%\System32\Config
Windwos Server 2008, 2012 R2 Operating System : %WinDir%\System32\Winevt\Logs
2. Repair the Event log!
If the file was not properly closed, the four fields will not have been synched and the file status byte will be odd. When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt. This frequently occurs in forensics when you pull the plug or do a live acquisition. EnCase doesn't rely upon that API and will parse them without repair. If you wish to use them in a viewer reliant upon the event log API, you'll need to repair the header.
To repair the event log file, you simply need to copy the four fields from the floating footer into their corresponding location in the header and then set the file status byte to any even value. Save and you are done. It's really that simple. (http://www.stevebunting.org/udpd4n6/forensics/repaireventlogfile.htm)
Automated Windows Event Log Repair Tool:
http://www.cwflynt.com/logFixer
http://murphey.org/fixevt.html
3. Extracting the XML event log information from save Windows event log
Note: Please run the command line by line so that you can see what it does and the output result.
# Analyzing one event message from event log
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name. Here we assigned the value to "$Event" variable.
PS C:\Users\mimi> $Event = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624} -MaxEvents 1
# We then view the event properties.
PS C:\Users\mimi> $Event | Format-List *
# Now we can view the array of message body values, however the property names are missing.
PS C:\Users\mimi> $Event.Properties
# Now we convert the event to XML and assign the value to "$eventXML" variable.
PS C:\Users\mimi> $eventXML = [xml]$Event.ToXml()
# Walla...now we get all the XML information from the message.
PS C:\Users\mimi> $eventXML.Event.EventData.Data
# Later we have to index each data element to access it.
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].name
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].'#text'
-----------------------------------------------------------------------------------------
Full running code:
1. Change the "Path" location to your Windows Event Log and save below Powershell code as "Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1"
-----------BEGIN-----------
#Extract Security.evtx event id 4624 - Logon Activities
#------------------------------------------------------
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name.
$Events = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624}
# Assign the Output file to store the output result.
$OutputFile = "D:\Sample_Event_Log\Win7\Security_Evtx_Event_ID_4624_output.csv"
# Parse out the event message data
ForEach ($Event in $Events)
{
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
{
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
# View the results with your favorite output method
#$Events | Select-Object * | Out-GridView
$Events | Select-Object TimeCreated,MachineName,LogName,Id,SubjectLogonId,TargetUserName,TargetDomainName,WorkstationName,IpAddress,LogonType | Export-Csv $OutputFile -NoType
-----------END-----------
Run it
PS C:\Users\mimi> .\Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1
References:
https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors/
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
https://gallery.technet.microsoft.com/scriptcenter/Log-Parser-to-Identify-8aac36bd
Friday, March 20, 2015
Remote Desktop Protocol (RDP) Logging and Tracking sessions Logon/Logoff activity
Applies To:
Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista
Windows Event Log: Security Event
File Location : %windir%\system32\config\SecEvent.Evt
Event ID: 528 - A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
Type: 10 - RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
More on Remote Desktop Services Availability
Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista
Windows Event Log: Security Event
File Location : %windir%\system32\config\SecEvent.Evt
Event ID: 528 - A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
Type: 10 - RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
More on Remote Desktop Services Availability
Thursday, February 26, 2015
The New Way to Look at Users Properties
The Active Directory Administrative Center is another new component introduced by Windows Server 2008 R2. Many admins gave it a glance, thought to themselves "another ADUC, why bother?", and went back to their familiar old tool. If you like acctinfo.dll though, you should like ADAC.
With Win7 RSAT installed and the AD tools enabled (or RDP'ed into your Win2008 R2 servers for AD administration), run DSAC.EXE. You'll see this:
Here is the detail explanation from the expert http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx
With Win7 RSAT installed and the AD tools enabled (or RDP'ed into your Win2008 R2 servers for AD administration), run DSAC.EXE. You'll see this:
Here is the detail explanation from the expert http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx
Tuesday, October 21, 2014
Tracing User Activities
It would be great if we can have one tool that will be able to tell us what are the user activities or have done on the computer base on date!
May be we can start with this tool.
Name: LastActivityView by Nirsoft
URL: http://www.nirsoft.net/utils/computer_activity_view.htm
Description:
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
May be we can start with this tool.
Name: LastActivityView by Nirsoft
URL: http://www.nirsoft.net/utils/computer_activity_view.htm
Description:
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
Subscribe to:
Posts (Atom)