Friday, October 4, 2019

Event ID 4741 - A Computer Account was Created

Event ID 4741 - A computer account was created

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "MPWXDC.changme.local"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4741
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13825
 "OpcodeValue": 0
 "RecordNumber": 490138986
 "ProcessID": 824
 "ThreadID": 20704
 "Channel": "Security"
 "Message": "A computer account was created."
 "Category": "Computer Account Management"
 "Opcode": "Info"
 "TargetUserName": "ZIGGY$"
 "TargetDomainName": "MP"
 "TargetSid": "S-1-5-21-343361891-1219768270-4058147650-9302"
 "SubjectUserSid": "S-1-5-21-343361891-1219768270-4058147650-1179"
 "SubjectUserName": "admin"
 "SubjectDomainName": "MP"
 "SubjectLogonId": "0x227bf6ce6"
 "PrivilegeList": "-"
 "SamAccountName": "ZIGGY$"
 "DisplayName": "-"
 "UserPrincipalName": "-"
 "HomeDirectory": "-"
 "HomePath": "-"
 "ScriptPath": "-"
 "ProfilePath": "-"
 "UserWorkstations": "-"
 "PasswordLastSet": "2017/11/17 04:04:12"
 "AccountExpires": "%%1794"
 "PrimaryGroupId": "515"
 "AllowedToDelegateTo": "-"
 "OldUacValue": "0x0"
 "NewUacValue": "0x80"
 "UserAccountControl": "\r\n\t\t%%2087"
 "UserParameters": "-"
 "SidHistory": "-"
 "LogonHours": "%%1793"
 "DnsHostName": "ZIGGY.changme.local"
 "ServicePrincipalNames": "\r\n\t\tHOST/ZIGGY.changme.local\r\n\t\tRestrictedKrbHost/ZIGGY.changme.local\r\n\t\tHOST/ZIGGY\r\n\t\tRestrictedKrbHost/ZIGGY"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "wineventlog_in"
 "SourceModuleType": "im_msvistalog"
}

General Description
  • This event generates every time a new computer object is created.
  • This event generates only on domain controllers.
  • If your information security monitoring policy requires you to monitor computer account creation, monitor this event.
Detail Description

Subject:

  • Security ID: SID of account that requested the “create Computer object” operation. 
  • Account Name: the name of the account that requested the “create Computer object” operation.
  • Account Domain: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • Logon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

New Computer Account (Target):

  • Security ID: SID of created computer account.
  • Account Name: the name of the computer account that was created. For example: WIN81$
  • Account Domain: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

Computer Account Attributes:

  • SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
  • Display Name: the value of displayName attribute of new computer object. It is a name displayed in the address book for a particular account (typically – user account) and is usually the combination of the user's first name, middle initial, and last name.
  • User Principal Name: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name.
  • Home Directory: user's home directory. This parameter might not be captured in the event, and in that case appears as “-”.
  • Home Drive: specifies the drive letter to which to map the UNC path specified by homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For example – “H:”. 
  • Script Path: specifies the path of the account's logon script. 
  • Profile Path: specifies a path to the account's profile.
  • User Workstations: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma.
  • Password Last Set: last time the account’s password was modified. 
  • Account Expires: the date when the account expires.
  • Primary Group ID: Relative Identifier (RID) of computer’s object primary group.
Note  Relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.

Typically, Primary Group field for new computer accounts has the following values:

516 (Domain Controllers) – for domain controllers.

521 (Read-only Domain Controllers) – for read-only domain controllers (RODC).

515 (Domain Computers) – for member servers and workstations.
  • AllowedToDelegateTo: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account.
Note  Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
  • Old UAC Value: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. Old UAC value always “0x0” for new computer accounts. This parameter contains the previous value of userAccountControl attribute of computer object.
  • New UAC Value: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of userAccountControl attribute of new computer object.
  • User Parameters: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see <value changed, but not displayed> in this field in “4742(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
  • SID History: contains previous SIDs used for the object if the object was moved from another domain. 
  • Logon Hours: hours that the account is allowed to logon to the domain. 
  • DNS Host Name: name of computer account as registered in DNS. 
  • Service Principal Names: The list of SPNs, registered for computer account.
Additional Information:
  • Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
at No comments:
Labels: , , ,

COBIT: Meeting stakeholders need

Organizations have many stakeholders and each may have a different view of what's important. However, they will all generally agree that organizations should create value. This value can range from providing public services to generating profits to providing charitable services and more. Stakeholders needs should be considered when decisions have to be made

  • regarding benefits, resources and risk assessments, 
  • during value creation 

to help us understand and meet the various stakeholder needs. COBIT 5 asks three questions

  • who benefits 
  • who carries the risk and 
  • what resources are needed

Sometimes there are conflicting needs between stakeholders. Adding to this, is the fact that organizations are affected by different factors such as

  • the market industry 
  • politics 
  • culture and 
  • risk appetite

Taking the various needs and internal and external factors into accounts, COBIT 5 suggests that governance can assist in the negotiation and decision-making. Across these various needs, it suggests that we need a customized governance and management system. It provides the goals cascade like

  • stakeholders drivers
  • stakeholders needs
  • enterprise goals
  • IT related goals
  • enablers goals 

which is a mechanism that helps us translate stakeholders needs into a series of increasingly specific goals that are directly related to the organization.

So, organizations have different objectives, expect to customize COBIT 5 to suit your organization through the goals cascade translating high-level enterprise goals into manageable specific IT related goals and mapping these to specific processes and practice will help us meet stakeholders needs.
at No comments:
Labels: ,

Wednesday, October 2, 2019

Event ID 4742 - A computer account was changed

Event ID 4742 - A computer account was changed

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "WIN-AE4MOB56I4P.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4742
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13825
 "OpcodeValue": 0
 "RecordNumber": 1722463
 "ProcessID": 776
 "ThreadID": 4068
 "Channel": "Security"
 "Message": "A computer account was changed.
 "Category": "Computer Account Management"
 "Opcode": "Info"
 "ComputerAccountChange": "-"
 "TargetUserName": "WIN-AE4MOB56I4P$"
 "TargetDomainName": "changeme"
 "TargetSid": "S-1-5-21-924791265-3775684568-2843720401-1008"
 "SubjectUserSid": "S-1-5-18"
 "SubjectUserName": "WIN-AE4MOB56I4P$"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x42f38"
 "PrivilegeList": "-"
 "SamAccountName": "-"
 "DisplayName": "-"
 "UserPrincipalName": "-"
 "HomeDirectory": "-"
 "HomePath": "-"
 "ScriptPath": "-"
 "ProfilePath": "-"
 "UserWorkstations": "-"
 "PasswordLastSet": "-"
 "AccountExpires": "-"
 "PrimaryGroupId": "-"
 "AllowedToDelegateTo": "-"
 "OldUacValue": "-"
 "NewUacValue": "-"
 "UserAccountControl": "-"
 "UserParameters": "-"
 "SidHistory": "-"
 "LogonHours": "-"
 "DnsHostName": "-"
 "ServicePrincipalNames": "\r\n\t\tldap/WIN-AE4MOB56I4P.changeme.com/changeme.com"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "in"
 "SourceModuleType": "im_msvistalog"
 }

General Description
  • This event generates every time a new computer object is created.
  • This event generates only on domain controllers.
  • If your information security monitoring policy requires you to monitor computer account creation, monitor this event.
Detail Description

Subject:

  • Security ID: SID of account that requested the “create Computer object” operation. 
  • Account Name: the name of the account that requested the “create Computer object” operation.
  • Account Domain: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • Logon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

New Computer Account (Target):

  • Security ID: SID of created computer account.
  • Account Name: the name of the computer account that was created. For example: WIN81$
  • Account Domain: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

Computer Account Attributes:

  • SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
  • Display Name: the value of displayName attribute of new computer object. It is a name displayed in the address book for a particular account (typically – user account) and is usually the combination of the user's first name, middle initial, and last name.
  • User Principal Name: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name.
  • Home Directory: user's home directory. This parameter might not be captured in the event, and in that case appears as “-”.
  • Home Drive: specifies the drive letter to which to map the UNC path specified by homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For example – “H:”. 
  • Script Path: specifies the path of the account's logon script. 
  • Profile Path: specifies a path to the account's profile.
  • User Workstations: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma.
  • Password Last Set: last time the account’s password was modified. 
  • Account Expires: the date when the account expires.
  • Primary Group ID: Relative Identifier (RID) of computer’s object primary group.
Note  Relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.

Typically, Primary Group field for new computer accounts has the following values:

516 (Domain Controllers) – for domain controllers.

521 (Read-only Domain Controllers) – for read-only domain controllers (RODC).

515 (Domain Computers) – for member servers and workstations.
  • AllowedToDelegateTo: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in Delegation tab of computer account.
Note  Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
  • Old UAC Value: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. Old UAC value always “0x0” for new computer accounts. This parameter contains the previous value of userAccountControl attribute of computer object.
  • New UAC Value: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of userAccountControl attribute of new computer object.
  • User Parameters: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see <value changed, but not displayed> in this field in “4742(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
  • SID History: contains previous SIDs used for the object if the object was moved from another domain. 
  • Logon Hours: hours that the account is allowed to logon to the domain. 
  • DNS Host Name: name of computer account as registered in DNS. 
  • Service Principal Names: The list of SPNs, registered for computer account.
Additional Information:
  • Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
at 1 comment:
Labels: , , ,

Windows Authentication Mechanism

Authentication is a process of verifying the identity. It can be object, person or service. Object authentication verifies that an object is genuine. Person or service authentication verifies that the credentials entered are authentic. In the context of networking, authentication is proving identity to a network application or resource. Active Directory Domain Services is the recommended and default technology for storing identity information (including the cryptographic keys that are the user’s’ credentials). Active Directory is required for default NTLM and Kerberos implementations.

There are range of authentication techniques, simple logon to more powerful security mechanisms. Simple logon identifies users based on something that only the user knows — like a password. While powerful security mechanisms uses something that the user has — like tokens, public key certificates, and biometrics.

Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest are default set of authentication protocols implemented by windows operating system. These protocols enables authentication of users, computers, and services which in turn enables authorized users and services to access resources in a secure manner.

Some of the events that needs to be tracked to analyze users authentication behavior are as follows

event iddescription
4624An account was successfully log on
4625An account failed to logon on
4634An account was logged off
4647User initiated logoff

4768A Kerberos authentication ticket (TGT) was requested
4769A Kerberos service ticket was requested
4771Kerberos pre-authentication failed

at No comments:
Labels: ,

Account Logon Fail Status in Windows

Status and Sub Status Code:


status and sub_status_codedescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064user name does not exist
0xC000006Auser name is correct but the password is wrong
0XC000006DThis is either due to a bad username or authentication information
0XC000006EUnknown user name or bad password.
0xC000006Fuser tried to logon outside his day of week or time of day restrictions
0xC0000070workstation restriction or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000071expired password
0xC0000072account is currently disabled
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0xC0000133clocks between DC and other computer too far out of sync
0xc000015bThe user has not been granted the requested logon type (aka logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon but the netlogon service was not started.
0XC0000193account expiration
0XC0000224user is required to change password at next logon
0xC0000225evidently a bug in Windows and not a risk
0xC0000234user is currently locked out
0XC0000413Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified   account is not allowed to authenticate to the machine.
Log Sample: 
{
"EventTime": "2017/08/25 14:09:12"
"Hostname": "CIVDCS-ADC1.changeme.com"
"Keywords": -9218868437227405312
"EventType": "AUDIT_FAILURE"
"SeverityValue": 4
"Severity": "ERROR"
"EventID": 4625
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12544
"OpcodeValue": 0
"RecordNumber": 56611365
"ProcessID": 528
"ThreadID": 4672
"Channel": "Security"
"Message": "An account failed to log on."
"Category": "Logon"
"Opcode": "Info"
"SubjectUserSid": "S-1-0-0"
"SubjectUserName": "-"
"SubjectDomainName": "-"
"SubjectLogonId": "0x0"
"TargetUserSid": "S-1-0-0"
"TargetUserName": "MININT-UP26I95$"
"TargetDomainName": "changeme"
"Status": "0xc000006d"
"FailureReason": "%%2313"
"SubStatus": "0xc000006a"
"LogonType": "3"
"LogonProcessName": "NtLmSsp "
"AuthenticationPackageName": "NTLM"
"WorkstationName": "MININT-UP26I95"
"TransmittedServices": "-"
"LmPackageName": "-"
"KeyLength": "0"
"ProcessName": "-"
"IpAddress": "172.23.130.64"
"IpPort": "65284"
"EventReceivedTime": "2017/08/25 14:09:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}


Failure Reason:

%%2305The specified user account has expired. 
%%2309The specified account's password has expired. 
%%2310Account currently disabled. 
%%2311Account logon time restriction violation. 
%%2312User not allowed to logon at this computer. 
%%2313Unknown user name or bad password. 
at 3 comments:
Labels: , , , ,

How to Audit File and Folder Access

Whenever there are files and folder access in the windows system, the thing of interest is who accessed and when the access took place. Also, what happened to files after it was accessed. Moreover, if we can audit such access without having to use third-party application then it is awesome.

There’s a feature in Windows that keeps track when someone views, edits, or deletes something inside of a specified folder. What we need to do is simply enable audit of such events. This write up explains step by step of how we can configure auditing. This auditing feature is part of a Windows security feature called Group Policy.

1. Click on Run and type gpedit.msc and hit enter.

Two policies are seen Users and Computers. Users configuration setting controls policies for each users. So we are, at this point, interested in Computers Configuration because computer settings will be system wide and will affect all users.


2. Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy


3. Configure Audit Object Access. Double click on it and select both Success and Failure.


4. Close Group Policy.

This is our first step in auditing files and folders. This tells windows system that we are ready to monitor changes in any files, folder and other objects like Key, SAM etc. Step that follows will tell windows what exactly we want to track.

5. Right click on folder you want to monitor. Click Properties and then move to Security tab.


6. Click on Advanced and Auditing tab. This is the tab where actual configuration is done.



7. Click Add


8. Click Users and click on Check Names.


9. Click OK.

10. Click on the type of Audit (All, Success or Failure), What it applies to and Permissions you want to Audit and click OK.


11. Click on all OK.

If you want to view these events Go to Event Viewer -> Windows Logs -> Security



For file system related event you will get 4656 (File open), 4663(access and permission exercised) and 4658(file closed).

at No comments:
Labels: , ,

Tuesday, October 1, 2019

Application Group Management in Windows System

There are various tasks that can be performed in Application Group Management
  • An application group can be created, changed or deleted
  • A member can be added to/removed from application group
The volume of this event being generated is low. And by default this events are not configured to be logged by Microsoft. However, if this policy setting is configured, it determines what tasks are performed in application group management.

Following are the lists of event that gets generated

eventId description
4783 A basic application group was created.

4784 A basic application group was changed.

4785 A member was added to a basic application group.

4786 A member was removed from a basic application group.

4787 A non-member was added to a basic application group.

4788 A non-member was removed from a basic application group.

4789 A basic application group was deleted.

4790 An LDAP query group was created.

How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790]

What fields to monitor?
timestamp, user name, operationType

at No comments:
Labels: , ,

Access Control - Biometric and Federated Identity


There are different types of biometric systems in the industry today. Some make authentication decision based on behavior and some make authentication decisions based on physical attributes. However, a system that uses physical attributes provides more accuracy than one that uses behavior attributes. This is because
A biometric system can make authentication decisions based on an individual's behavior, as in signature dynamics and voice prints, but these can change over time and possibly be forged. Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide more accuracy, because they do not change as often and are harder to impersonate.

A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. Identity federation is based upon linking a user's otherwise distinct identities at two or more locations without the need to synchronize or consolidate directory information. Federated identity offers businesses and consumers a more convenient way of accessing distributed resources and is a key component of e-commerce. It is essentially when one organization agrees to trust another organization's authentication of a user, and provide them a degree of access based on that authentication.
at No comments:
Labels: , , ,

Monday, September 30, 2019

Linux Systemd Privilege Escalation Vulnerabilities


New Systemd Privilege Escalation Flaws Affect Most Linux Distributions

For most Linux OS, Systemd is a popular init system and service manager. Three vulnerabilities in Systemd have been discovered by the security researchers at Qualys. This vulnerability could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems.

CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866. These vulnerabilities actually resides in "systemd-journald" service that collects information from different sources and creates event logs by logging information in the journal. This vulnerabilities affects all systemd-based Linux distribution, Qualys says. However, SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not affected, as "their userspace [code] is compiled with GCC's -fstack-clash-protection.
The first two flaws are memory corruptions issues, while the third one is an out-of-bounds read issue in systemd-journald that can leak sensitive process memory data.


For more info click here
at 1 comment:
Labels: , , ,

User Rights Assignment in Windows

What User Rights does?
User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain.

What it includes?
User rights include logon rights and permissions.
  • Logon rights control who is authorized to log on to a computer and how they can log on. 
  • User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. 

How are User Rights Managed?
User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events.

Configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local computer by using the Local Group Policy Editor (gpedit.msc)

Which Event ID to Look on?
Event ID 4704 and 4705 documents a change to user right assignments on windows computer including the right and user or group that received the new right.
Event id 4704: A user right was assigned
Event id 4705: A user right was removed

The fact that should be kept in consideration is "User rights" and "privileges" are synonymous terms used interchangeably in Windows.

Same like most other security settings in Windows, Rights are defined in group policy objects and applied by the computer. This event, therefore, will normally show the Assigned By user as the system itself.

How to determine who actually made the changes?
To actually determine who made the rights assignment change you must search the domain controllers' security logs for changes to groupPolicyContainer objects (logged by Directory Service auditing).

Logon ID allows you to link this event to the prior event 4624 logon event of the user who performed this action.

Note: This event, 4704, and 4705 do not log changes to logon rights such as "Access this computer from the network" or "Logon as a service".

User Rights

System nameDescription
SeTcbPrivilegeAct as part of the operating system
SeMachineAccountPrivilegeAdd workstations to domain
SeIncreaseQuotaPrivilegeAdjust memory quotas for a   process
SeBackupPrivilegeBack up files and directories
SeChangeNotifyPrivilegeBypass traverse checking
SeSystemtimePrivilegeChange the system time
SeCreatePagefilePrivilegeCreate a pagefile
SeCreateTokenPrivilegeCreate a token object
SeCreatePermanentPrivilegeCreate permanent shared objects
SeDebugPrivilegeDebug programs
SeEnableDelegationPrivilegeEnable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilegeForce shutdown from a remote system
SeAuditPrivilegeGenerate security audits
SeIncreaseBasePriorityPrivilegeIncrease scheduling priority
SeLoadDriverPrivilegeLoad and unload device drivers
SeLockMemoryPrivilegeLock pages in memory
SeSecurityPrivilegeManage auditing and security log
SeSystemEnvironmentPrivilegeModify firmware environment values
SeManageVolumePrivilegePerform volume maintenance tasks
SeProfileSingleProcessPrivilegeProfile single process
SeSystemProfilePrivilegeProfile system performance
SeUndockPrivilegeRemove computer from docking station
SeAssignPrimaryTokenPrivilegeReplace a process level token
SeRestorePrivilegeRestore files and directories
SeShutdownPrivilegeShut down the system
SeSyncAgentPrivilegeSynchronize directory service data
SeTakeOwnershipPrivilegeTake ownership of files or other objects
  
at No comments:
Labels: ,

Distribution Group Management in Windows System

There are various tasks that can be performed in Distribution Group Management
  • A distribution group is created, changed, or deleted.
  • A member is added to or removed from a distribution group.

The volume of this event being generated is low and is logged only on domain controllers. And by default this events are not configured to be logged by Microsoft. However, if this policy setting is configured, it determines what tasks are performed in Distribution Group Management.


Following are the lists of event that gets generated

eventId description
4744 A security-disabled local group was created.

4745 A security-disabled local group was changed.

4746 A member was added to a security-disabled local group.

4747 A member was removed from a security-disabled local group.

4748 A security-disabled local group was deleted.

4749 A security-disabled global group was created.

4750 A security-disabled global group was changed.

4751 A member was added to a security-disabled global group.

4752 A member was removed from a security-disabled global group.

4753 A security-disabled global group was deleted.

4759 A security-disabled universal group was created.

4760 A security-disabled universal group was changed.

4761 A member was added to a security-disabled universal group.

4762 A member was removed from a security-disabled universal group.

How should these events be looked in SIEM tool?
Alert rules. Rules can be specific to above mentioned eventId or generic to Application Group Management like
LogSource=Windows eventId IN [4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762]

What fields to monitor?
timestamp, who performed, security group, operationType
at No comments:
Labels: , ,

Brute Force Attack in Windows System - Detection

Brute force attack is defined as the type of attack where user tries to authenticate into the system with different possible passwords. This type of attack is also known as Trial and Error attack or Exhaustive Search attack. We can detect such attack using available SIEM tool, however, we first need to define scope of detection.

What do we call Successful Brute Force Attack?
Multiple failed login events followed by successful login. So we need to write an alert rules that generates notification whenever such events happen. There are two possible scenarios for our rule
  1. Multiple failed login followed by successful login for same user accounts
  2. Multiple failed login followed by successful login for same source IP address
NOTE: we need to define what multiple means. Is it 3, 4, 5, 6 or more failed followed by successful? Another thing to ponder upon is the time duration. What should be the duration within which if such events happen is brute force attack? is it 1, 2, 3, 4 or 5 minutes?

What is the difference between these two?
First condition checks for user whose account is being exploited with different password variation. This does not take into account how many different workstation is being used for the exploit.

Query for this case will be something like below:
[5 Failed Login] followed by [Successful Login] on same user

While second condition checks for source address from where multiple user accounts are being tried.
[5 Failed Login] followed by [Successful Login] on same source IP address

How to use this in Windows environment?
We know event id 4625 is for failed user logins and 4624 is for successful user logins. So these two events will be used to detect possible brute force attack.

  1. [5 event_id=4625 user=*] followed by [event_id=4624 user=*] on same user within 1 minute
  2. [5 event_id=4625 source_address=* ] followed by [event_id=4624 source_address=*] on same source_address within 1 minute | distinct_count(user) as distinctUser by source_address | search distinctUser>1 

What should you do after this alert is fired?
When this event is triggered the following action should be done
  • Investigate the source IP address and/or username

at No comments:
Labels: , ,
Subscribe to: Posts (Atom)