Monday, April 16, 2018

Tracking Account Usage on Domain Environment

Tracking Account Usage on Domain Environment

Operating Systems:
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10

Domain controller successfully authenticates a user via NTLM Protocol:
4776: The domain controller attempted to validate the credentials for an account
      Logon Account: name of the account
      Source Workstation: computer name where logon attempt originated
      Error Code:
            C0000064 - user name does not exist
            C000006A - user name is correct but the password is wrong
            C0000234 - user is currently locked out
            C0000072 - account is currently disabled
            C000006F - user tried to logon outside his day of week or time of day restrictions
            C0000070 - workstation restriction
            C0000193 - account expiration
            C0000071 - expired password
            C0000224 - user is required to change password at next logon
            C0000225 - evidently a bug in Windows and not a risk

Domain controller successfully authenticates a user via Kerberos Protocol:

4768: A Kerberos authentication ticket (TGT) was requested (Successful logon)
      Account Name:  logon name of the account that just authenticated
      Client Address:  IP address where user is present

4771: Kerberos pre-authentication failed
      Account Name:  logon name of the account that just authenticated
      Client Address:  IP address where user is present
      Failure Code: 0x18 - Pre-authentication information was invalid
4769: A Kerberos service ticket was requested(Access to server resources)
      Account Name:  logon name of the account that just requested the ticket     
      Client Address:  IP address where user is present
      Service Name:  the account name of the computer or service the user is requesting the ticket for

Tracking Account Usage on Local Window System

Tracking account usage for known compromised accounts.

Event IDs:
4624: An account was successfully logged on
4625: An account failed to log on
4634: An account was logged off
4647: User initiated logoff
4648: A logon was attempted using explicit credentials (Runas)
4672: Account logon with superuser right (Administrator)
4720: A user account was created

4778: A session was reconnected to a Window Station
4779: A session was disconnected from a Window Station

Wednesday, October 19, 2016

Windows security audit events: This spreadsheet details the security audit events for Windows


Note to my self:

You can use Windows security and system logs to record and store collected security events so that you can track key system and network activities to monitor potentially harmful behaviors and to mitigate those risks. You customize system log events by configuring auditing based on categories of security events such as changes to user account and resource permissions, failed attempts for user logon, failed attempts to access resources, and attempts to modify system files. The information in this download can help you analyze the data included in event log data.

https://www.microsoft.com/en-us/download/details.aspx?id=50034
https://download.microsoft.com/download/8/E/1/8E11AD26-98A1-4EE3-9F7F-1DB4EB18BADF/WindowsSecurityAuditEvents.xlsx

Friday, April 24, 2015

PowerShell: Offline Windows Event Logs Analysis - Part 1

1. You already have the raw Windows Event log copy out from the Server using Forensics tools.
Default Event Log Location:
Windows Server 2003 Operating System : %WinDir%\System32\Config
Windwos Server 2008, 2012 R2 Operating System : %WinDir%\System32\Winevt\Logs


2. Repair the Event log!
If the file was not properly closed, the four fields will not have been synched and the file status byte will be odd.  When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt.  This frequently occurs in forensics when you pull the plug or do a live acquisition.  EnCase doesn't rely upon that API and will parse them without repair.  If you wish to use them in a viewer reliant upon the event log API, you'll need to repair the header.
To repair the event log file, you simply need to copy the four fields from the floating footer into their corresponding location in the header and then set the file status byte to any even value. Save and you are done.  It's really that simple. (http://www.stevebunting.org/udpd4n6/forensics/repaireventlogfile.htm)


Automated Windows Event Log Repair Tool:
    http://www.cwflynt.com/logFixer
    http://murphey.org/fixevt.html


3. Extracting the XML event log information from save Windows event log
Note: Please run the command line by line so that you can see what it does and the output result.

# Analyzing one event message from event log
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name. Here we assigned the value to "$Event" variable.
PS C:\Users\mimi> $Event = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624} -MaxEvents 1

# We then view the event properties.
PS C:\Users\mimi> $Event | Format-List *

# Now we can view the array of message body values, however the property names are missing.
PS C:\Users\mimi> $Event.Properties

# Now we convert the event to XML and assign the value to "$eventXML" variable.
PS C:\Users\mimi> $eventXML = [xml]$Event.ToXml()

# Walla...now we get all the XML information from the message.
PS C:\Users\mimi> $eventXML.Event.EventData.Data

# Later we have to index each data element to access it.
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].name
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].'#text'


-----------------------------------------------------------------------------------------

Full running code:
1. Change the "Path" location to your Windows Event Log and save below Powershell code as "Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1"


-----------BEGIN-----------
#Extract Security.evtx event id 4624 - Logon Activities
#------------------------------------------------------

# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name.
$Events = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624}

# Assign the Output file to store the output result.
$OutputFile = "D:\Sample_Event_Log\Win7\Security_Evtx_Event_ID_4624_output.csv"

# Parse out the event message data           
ForEach ($Event in $Events)
{           
    # Convert the event to XML           
    $eventXML = [xml]$Event.ToXml()           

    # Iterate through each one of the XML message properties           
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    {           
        # Append these as object properties           
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
    }           
}           

# View the results with your favorite output method           
#$Events | Select-Object * | Out-GridView
$Events | Select-Object TimeCreated,MachineName,LogName,Id,SubjectLogonId,TargetUserName,TargetDomainName,WorkstationName,IpAddress,LogonType | Export-Csv $OutputFile -NoType

-----------END-----------
Run it 
PS C:\Users\mimi> .\Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1

References:
https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors/
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
https://gallery.technet.microsoft.com/scriptcenter/Log-Parser-to-Identify-8aac36bd

Friday, March 20, 2015

Remote Desktop Protocol (RDP) Logging and Tracking sessions Logon/Logoff activity

Applies To:
Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista

Windows Event Log: Security Event
File Location : %windir%\system32\config\SecEvent.Evt
Event ID: 528 - A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
Type: 10 - RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.

More on Remote Desktop Services Availability

Thursday, February 26, 2015

The New Way to Look at Users Properties

The Active Directory Administrative Center is another new component introduced by Windows Server 2008 R2. Many admins gave it a glance, thought to themselves "another ADUC, why bother?", and went back to their familiar old tool. If you like acctinfo.dll though, you should like ADAC.

With Win7 RSAT installed and the AD tools enabled (or RDP'ed into your Win2008 R2 servers for AD administration), run DSAC.EXE. You'll see this:

Here is the detail explanation from the expert http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx

Tuesday, October 21, 2014

Tracing User Activities

It would be great if we can have one tool that will be able to tell us what are the user activities or have done on the computer base on date!

May be we can start with this tool.

Name: LastActivityView by Nirsoft
URL: http://www.nirsoft.net/utils/computer_activity_view.htm


Description:
LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...