- 1. Windows Event Analysis Correlation for Investigation
Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO
27001 Team Whitehat People Email: [email protected]
LinkedIn: www.linkedin.com/in/mpsingrathore Facebook:
www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com
Twitter: @mpsinghrathore
2. Introduction Windows Events, giving opportunity to look into
Microsoft Windows machines for troubleshooting as well as for
security analysis and investigation and it is the best and
important piece to start with in case if any security incident
occurred. Windows machines generates events for all the user
activities and activities related to applications and OS running on
it. Ability to find the right Event through Event IDs and linking
them with other event IDs with common parameters, which are
generated in course of same action (User based, application or OS),
shows the action performed and processes executed on machine.
Windows event analysis is useful for Information security incident
investigation as well as for audit purpose. 3. Login and Logout
Events Event IDs 528 and 4624 indicates successful login on Windows
2003 XP and Windows 2008/12 respectively. And event IDs 551/4647
are generated when user logs off whether its a network connection
or manually from keyboard. Event IDs 538/4634 generally follow
these event IDs when user logs off from a windows machine. Logon
event ID 528/4624 shows important detail of user ID, domain in
which user logged in, Logon type, logon ID, time of logon,
workstation name, which process was used for authentication and it
also shows IP address and source port when logged in remotely. 4.
Login and Logout Events Other then direct important piece of
information given in login event ID, two main and very important
field are Logon ID and Logon Type. Logon ID is used to correlate to
many other event IDs which are generated during logon session.
Using this logon ID, we find user who performed any particular
action during the logon session. Similarly, Logon Type shows the
method or the way user logged in the Windows machine. Whether its
network logon (RDP), interactive logon (through keyboard), batch
etc. 5. Logon Types Logon Type 2 Interactive We see type 2 logons
when a user attempts to log on using local keyboard and screen
whether with a domain account or a local account from the computers
local SAM. To find the difference between an attempt to logon with
a local or domain account look for the domain or computer name
preceding the user name in the events description. Logon Type 3
Network Windows logs logon type 3 in most cases when we access a
computer from elsewhere on the network. One of the most common
sources of logon events with logon type 3 is connections to shared
folders or printers. 6. Logon Types Logon type 4 Batch When Windows
executes a scheduled task, the Scheduled Task service first creates
a new logon session for the task so that it can run under the
authority of the user account specified when the task was created.
When this logon attempt occurs, Windows logs it as logon type 4.
Logon type 5 Service Similar to Scheduled Tasks, each service is
configured to run as a specified user account. When a service
starts, Windows first creates a logon session for the specified
user account which results in a Logon/Logoff event with logon type
5. 7. Logon Types Logon type 7 Unlock When a user returns to their
workstation and unlocks the console, Windows treats this as a logon
and logs the appropriate Logon/Logoff event but in this case the
logon type will be 7 identifying the event as a workstation unlock
attempt. Logon type 8 Network Clear Text This logon type indicates
a network logon like logon type 3 but where the password was sent
over the network in the clear text. 8. Logon Types Logon type 9 New
Credential If you use the RunAs command to start a program under a
different user account and specify the /netonly switch, Windows
records a logon/logoff event with logon type 9. Logon Type 10
Remote Interactive When you access a computer through Terminal
Services, Remote Desktop or Remote Assistance windows logs the
logon attempt with logon type 10 which makes it easy to distinguish
true console logons from a remote desktop session 9. Logon Types
Logon type 11 Cached Interactive Windows supports a feature called
Cached Logons which facilitate mobile users. When you are not
connected to your organizations network and attempt to logon to
your laptop with a domain account theres no domain controller
available to the laptop with which to verify your identity. To
solve this problem, Windows caches a hash of the credentials of the
last 10 interactive domain logons. Later when no domain controller
is available, Windows uses these hashes to verify your identity
when you attempt to logon with a domain account. 10. Object
Operation (Access, Open, Delete, Handle) In Windows machines,
object access and operations performed on it are audited according
to audit policies enforced on host machines through Domain
Controller if machine is in domain environment. Any particular file
or folder which needs to be monitored or investigated through
Windows event should be enabled for audit through Windows Audit
policies. If done so, any attempt to access, modify, delete, move
will generate Windows events and through these events we can track
user activity and their operations. 11. Object Operation (Access,
Open, Delete, Handle) 560 (4656) Object Open - logged whenever a
program opens an object. In Windows, a program first opens an
object requesting certain types of access (i.e. read and/or write).
Windows compares the objects ACL to the program's access token
which identifies the user and groups to which the user belongs. The
open may succeed or fail depending on this comparison. Regardless,
Windows then checks the audit policy of the object. If the policy
enables auditing for the user, type of access requested and the
success/failure result, Windows records generates event 560. In the
case of failed access attempts, event 560/4656 is the only event
recorded. 12. Object Operation (Access, Open, Delete, Handle) 567
(4657, 4663) Object Access Attempt- Logs the actual permissions
exercised by the user/program on the object after opening it. Event
567 asserts that the Accesses obtained for an object in Event 560
where actually used. 562 (4658) Handle Closed After successfully
opening an object, a program eventually closes it which is
documented by event 562/4658. Event 562 helps you determine how
long the object was open. For this event to be useful you must link
it back to the earlier event ID 560 (Object Open) with the same
handle ID. 13. Object Operation - Correlation New Handle ID: When a
program opens an object it obtains a handle to the file which it
uses in subsequent operations on the object. We can link an event
to other events involving the same session of access to an object
by the program by looking for events with the same handle ID. To
determine the name of the program used to open an object - Event
560 AND Event 592 AND Process ID (Common in both Event IDs) Event
4656 AND Event 4688 AND Process ID (Common in both Event IDs) 14.
Object Operation - Correlation Object Open and Access Attempted
Event ID 560 AND Event ID 567 AND Handle ID (Common in both Event
IDs) Event ID 4656 AND Event ID 4663 AND Handle ID (Common in both
Event IDs) Registry Key Open-Modified-Closed Event ID 4656 AND
Event ID 4657 AND Event ID 4658 (with Same Handle ID) 15. Sample
Object Access Event ID description This is how an event generated
on Object Access shown in event viewer with detail mentioned.
Subject: The user and logon session that performed the action.
Security ID: The SID of the account. Account Name: The account
logon name. Account Domain: The domain or - in the case of local
accounts - computer name. Logon ID: is a semi-unique (unique
between reboots) number that identifies the logon session. Logon ID
allows you to correlate backwards to the logon event (4624) as well
as with other events logged during the same logon session 16.
Sample Object Access Event ID description contd Object: This is the
object upon which the action was attempted. Object Server: always
"Security" Object Type: "File" for file or folder but can be other
types of objects such as Key, SAM, SERVICE OBJECT, etc. Object
Name: The name of the object being accessed Handle ID: is a
semi-unique (unique between reboots) number that identifies all
subsequent audited events while the object is open. Handle ID
allows you to correlate to other events logged (Open 4656, Access
4663, Close 4658) Resource Attributes: (Win2012) Resource
attributes a new feature that allows you to classify objects
according to any number of things like project, compliance,
security level. It's part of dynamic access control new to Win2012.
17. Sample Object Access Event ID description contd Process
Information: Process Name: identifies the program executable that
accessed the object. Process ID: is the process ID specified when
the executable started as logged in 4688. Access Request
Information: Transaction ID: unknown. Accesses: These are
permissions requested. The correspond to the permissions available
in the Permission Entry dialog for any access control entry on the
object. Access Reasons: (Win2012) This lists each permission
granted and the reason behind - usually the relevant access control
entry (in SDDL format). 18. Sample Object Access Event ID
description contd Access Mask: this is the bitwise equivalent of
Accesses. Access Mask Number Access Mask Action 1537 (0x10000)
Delete 1538 Read_CONTROL 1541 synchronize 4416 (0x1) ReadData(or
List Directory) 4417 (0x6) WriteData(or Add File) (0x2 on Windows
2008 Server) 4418 (0x4) AppendData (or AddSubdirectory) 4419 ReadEA
4420 WriteEA 4423 ReadAttributes 4424 WriteAttributes 4432 (0x1)
Query Key Value 4433 (0x2) Set Key Value 4434 (0x4) Create Sub Key
19. Sample Object Access Event ID description contd Privileges Used
For Access Check: Lists any privileges requested. The only time I'm
aware of this field being filled in is when you take ownership of
an object in which case you'll see SeTakeOwnershipPrivilege.
Restricted SID Count: unknown. 20. Object Delete User Search
Correlation To determine the Subject (Person) who deleted the
Object:- Steps:- Object Deletion alert notification (Event ID
564/4660) will give Process ID. Use that Process ID to search
objects open Event ID (Event ID 560/4656). Object Open Event ID
(560/4656) will give Primary Logon ID. Now, search Hostname with
Primary logon ID with inverted comma and Login event ID (528/4624),
with AND logical operation (If any event management tool is used)
It should give Login event on relevant host with login account
name. 21. Object Delete User Search Correlation Final Query: -
HOSTNAME = AND "Logon ID:" AND EVENTID = 528/4624 To determine the
Object Deleted To determine the name of the object deleted look for
a prior event 560 with the same handle ID. 22. General Search
Queries Exact login events on server HOSTNAME = AND EVENTID =
4624/528 AND MESSAGE != "Logon Type: 3" User Login and Logout
Duration EVENTID = 528/4624 (Logon event)EVENTID = 551/4647 (Logout
event) Link with a common Logon ID for both logon and logout events
User X successfully logged on a host: EVENTID = 4624 AND USERNAME =
AND REMOTEHOST = 23. General Search Queries User account was
changes EVENTID = 4738 AND USERNAME = Attempt was made to change an
account's password EVENTID = 4723 AND USERNAME = User X failed to
log on a host: EVENTID = 4625 AND USERNAME = AND REMOTEHOST = Check
locked user account EVENTID = 4740 24. General Search Queries Check
Failed authentication for a particular user on a remote host
machine EVENTID = 4771 AND USERNAME = AND REMOTEHOST = Particular
Object request by a user EVENTID = 4656 AND OBJECTNAME = AND
HOSTNAME = AND USERNAME = 25. By Mahendra Pratap Singh MS Cyber Law
& Security, Lead Auditor ISO 27001 Team Whitehat People Email:
[email protected] LinkedIn:
www.linkedin.com/in/mpsingrathore Facebook:
www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com
Twitter: @mpsinghrathore Content in slides is best of my
understanding with the source. Thank You