Wednesday, October 23, 2019

File System Auditing Schemas in Windows

There are various audit events generated when any files or folders are accessed. Following are the list of events that can be monitored when any file system related activities needs to be audited.

event idobject typelog messagedescription
4656FileA handle to an object was requested.This is the first event logged when an application attempts to access the object
4659FileA handle to an object was requested with intent to deleteThis event is logged whenever patch installed requires replacement of a file that is already opened and cannot be closed until shut down
4663FileAn attempt was made to access an object.This event logs actual operations performed against files and other objects
4670FilePermissions on an object were changedThis event is logged when access control list on an object is changed and identifies the object, who changed the permissions and the old an new permissions.
5145FileA network share object was checked to see whether client can be granted desired accessThis event logs every access to the file share and indicates the reason it was allowed or not allowed, based on the access check results.

Among all these events, 4663 is the best suited for any file related operation. Make sure to find object type  as File in every case. File specifies any file/folder operation. Discussion and detail information about these events will be explained in later next write.
at No comments:
Labels: ,

Event ID 4782 - The password hash an account was accessed

Event ID 4782 - The password hash an account was accessed

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "WIN-AE4MOB56I4P.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4782
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13827
 "OpcodeValue": 0
 "RecordNumber": 2034819
 "ProcessID": 776
 "ThreadID": 2032
 "Channel": "Security"
 "Message": "The password hash an account was accessed."
 "Category": "Audit Other Account Management Events"
 "TargetUserName": "Alice"
 "TargetDomainName": "changeme"
 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"
 "SubjectUserName": "Administrator"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x33903e"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "in"
 "SourceModuleType": "im_msvistalog"
}

General Description
  • This event generates on domain controllers during password migration of an account using Active Directory Migration Toolkit.
  • Typically “Subject\Security ID” is the SYSTEM account.
SIEM: Security Consideration
  • Any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change

Detail Description

Subject:
  • SubjectUserSID: SID of account that requested the “create Computer object” operation. 
  • SubjectUserName: the name of the account that requested the “create Computer object” operation.
  • SubjectDomainName: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Target:
  • TargetUserName: the name of the computer account that was created. For example: WIN81$
  • TargetDomainName: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

at No comments:
Labels: , ,

Windows Event Log - Logon Session


Event IdDescription
4624User login successful
4647User logoff
4625User login fail
4778Remote Desktop session reconnected
4779Remote Desktop session disconnected
4800Workstation locked
4801Workstation unlocked
4802Screen saver invoked
4803Screen saver dismissed
at No comments:
Labels: ,

Monday, October 21, 2019

Event ID 4793 - The Password Policy Checking API was called

Event ID 4793 - The Password Policy Checking API was called


The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "WIN-AE4MOB56I4P.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4793
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13827
 "OpcodeValue": 0
 "RecordNumber": 2034819
 "ProcessID": 776
 "ThreadID": 2032
 "Channel": "Security"
 "Message": "The Password Policy Checking API was called"
 "Category": "Audit Other Account Management Events"
 "TargetUserName": "sig"
 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"
 "SubjectUserName": "Administrator"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x33903e"
 "Workstation": "DC01"
 "Status": "0x0"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "in"
 "SourceModuleType": "im_msvistalog"
}

General Description
  • This event generates each time the Password Policy Checking API is called.
  • This event, for example, generates during Directory Services Restore Mode (DSRM) account password reset procedure to check new DSRM password.
  • This event generates on the computer where Password Policy Checking API was called.

Detail Description

Subject:
  • SubjectUserSID: SID of account that requested the “create Computer object” operation. 
  • SubjectUserName: the name of the account that requested the “create Computer object” operation.
  • SubjectDomainName: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information

  • Workstation: name of the computer from which the Password Policy Checking API was called.
  • TargetUserName: the name of account, which password was provided/requested for validation. This parameter might not be captured in the event, and in that case appears as “-”.
  • Status Code: typically has “0x0” value. Status code is “0x0”, no matter meets password domain Password Policy or not.
at No comments:
Labels: , , ,

Event ID 4752 - A member was removed from a security-disabled global group

Event ID 4752 - A member was removed from a security-disabled global group

Log Sample

{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "WIN-AE4MOB56I4P.logpoint.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4752
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13827
 "OpcodeValue": 0
 "RecordNumber": 1947168
 "ProcessID": 776
 "ThreadID": 5276
 "Channel": "Security"
 "Message": "A member was removed from a security-disabled global group."
 "Category": "Distribution Group Management"
 "Opcode": "Info"
 "MemberName": "CN=ros_group,DC=logpoint,DC=com"
 "MemberSid": "S-1-5-21-924791265-3775684568-2843720401-1112"
 "TargetUserName": "ros_group"
 "TargetDomainName": "logpoint"
 "TargetSid": "S-1-5-21-924791265-3775684568-2843720401-1112"
 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"
 "SubjectUserName": "Administrator"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x33903e"
 "PrivilegeList": "-"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "in"
 "SourceModuleType": "im_msvistalog"
}


General Description
  • This event generates every time member was removed from the security-disabled (distribution) global group.
  • This event generates only on domain controllers.
Detail Description

Subject:
  • SubjectUserSID: SID of account that requested the “create Computer object” operation. 
  • SubjectUserName: the name of the account that requested the “create Computer object” operation.
  • SubjectDomainName: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group (Target):
  • TargetSID: SID of created computer account.
  • TargetUserName: the name of the computer account that was created. For example: WIN81$
  • TargetDomainName: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

Member:
  • Security ID: SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
  • Account Name: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”.
Attributes:
  • SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
  • SID History: contains previous SIDs used for the object if the object was moved from another domain. 
Additional Information:
  • Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
at No comments:
Labels: , , ,

Event ID 4753 - A security-disabled global group was deleted

Event ID 4753 - A security-disabled global group was deleted

Log Sample

{
"EventTime": "2017/11/17 04:04:12"
 "Hostname": "WIN-AE4MOB56I4P.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4753
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 13827
 "OpcodeValue": 0
 "RecordNumber": 2026256
 "ProcessID": 776
 "ThreadID": 5276
 "Channel": "Security"
 "Message": "A security-disabled global group was deleted."
 "Category": "Distribution Group Management"
 "Opcode": "Info"
 "TargetUserName": "ros_group"
 "TargetDomainName": "changeme"
 "TargetSid": "S-1-5-21-924791265-3775684568-2843720401-1112"
 "SubjectUserSid": "S-1-5-21-924791265-3775684568-2843720401-500"
 "SubjectUserName": "Administrator"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x33903e"
 "PrivilegeList": "-"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "in"
 "SourceModuleType": "im_msvistalog"
}


General Description
  • This event generates every time security-disabled (distribution) global group is deleted.
  • This event generates only on domain controllers.
SIEM Security Monitoring
  • If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “Group\Group Name” values that correspond to the critical distribution groups.
  • If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
Detail Description

Subject:
  • SubjectUserSID: SID of account that requested the “create Computer object” operation. 
  • SubjectUserName: the name of the account that requested the “create Computer object” operation.
  • SubjectDomainName: subject’s domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
  • SubjectLogon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group (Target):
  • TargetSID: SID of created computer account.
  • TargetUserName: the name of the computer account that was created. For example: WIN81$
  • TargetDomainName: domain name of created computer account. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL

Attributes:
  • SAM Account Name: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName attribute of new computer object. For example: WIN81$.
  • SID History: contains previous SIDs used for the object if the object was moved from another domain. 
Additional Information:
  • Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)