Saturday, January 18, 2020

Event ID 4624 - An account was successfully logged on

Event ID 4624 - An account was successfully logged on

Json log sample:

{

"EventTime": "2017-10-09 05:00:00",

"Hostname": "LPWXDC.ChangeMe.local",

"Keywords": -9214364837600034816,

"EventType": "AUDIT_SUCCESS",

"SeverityValue": 2,

"Severity": "INFO",

"EventID": 4624,

"SourceName": "Microsoft-Windows-Security-Auditing",

"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",

"Version": 1,

"Task": 12544,

"OpcodeValue": 0,

"RecordNumber": 409583434,

"ProcessID": 824,

"ThreadID": 19048,

"Channel": "Security",

"Message": "An account was successfully logged on.",

"Category": "Logon",

"Opcode": "Info",

"SubjectUserSid": "S-1-0-0",

"SubjectUserName": "-",

"SubjectDomainName": "-",

"SubjectLogonId": "0x0",

"TargetUserSid": "S-1-5-18",

"TargetUserName": "LPW",

"TargetDomainName": "LP",

"TargetLogonId": "0x1828eb397",

"LogonType": "3",

"LogonProcessName": "Kerberos",

"AuthenticationPackageName": "Kerberos",

"LogonGuid": "{FD1B49BA-A5E9-5D7D-D3F4-D925B43807F2}",

"TransmittedServices": "-",

"LmPackageName": "-",

"KeyLength": "0",

"ProcessName": "-",

"WorkstationName": "LPLONSERVDBVM",

"IpAddress": "10.0.2.10",

"IpPort": "60208",

"ImpersonationLevel": "%%1833",

"EventReceivedTime": "2017-10-09 05:00:00",

"SourceModuleName": "wineventlog_in",

"SourceModuleType": "im_msvistalog"

}

This event is very important and highly valuable. It documents all successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.

Subject User Information:
"SubjectUserSid"
"SubjectUserName"
"SubjectDomainName"
"SubjectLogonId"
This provides an information of account that request logon but not the actual user who logged on. This information are in general not that important from audit perspective but still there could be some cases where you would want to look into this. To find information regarding user who logged on we need to refer to Target User Information as below.

Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session. This can be used to correlate with logoff events 4634, 4647.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.

Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows

	logon_type	description
	2	Interactive
	3	Network
	4	Batch
	5	Service
	7	Unlock
	8	NetworkCleartext
	9	NewCredentials
	10	RemoteInteractive
	11	CachedInteractive

Impersonation Level:

	impersonation level	description
	%%1832	Identification
	%%1833	Impersonation
	%%1840	Delegation
	%%1841	Denied by Process Trust Label ACE
	%%1842	Yes
	%%1843	No
	%%1844	System
	%%1845	Not Available
	%%1846	Default
	%%1847	DisallowMmConfig
	%%1848	Off
	%%1849	Auto

Network Information:

"IpAddress" -> IP address of the computer where the user is physically present
"IpPort" -> source TCP port of the logon request

"WorkstationName" -> the computer name of the computer where the user is physically present. Workstation may be blank in some Kerberos logons.

The launchpad to a career in IT. This program is designed to take beginner learners to job readiness in about eight months.

The Working of NTLM Authentication

Why NTLM:

Microsoft adopted Kerberos as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains. Kerberos is typically used when a server belongs to a Windows Server domain, or if a trust relationship with a Windows Server Domain is established in some other way (such as Linux to Windows AD authentication). But NTLM can be used in either case(if you have a active directory or not).

NTLM is still used in the following situations:

The client is authenticating to a server using an IP address
The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust
The client is authenticating to a server that doesn't belong to a domain
No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer")
Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)

Working of NTLM:

The following steps present an outline of NTLM non-interactive authentication. The first step provides the user's NTLM credentials and occurs only as part of the interactive authentication (logon) process.

1. (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

2. The client sends the user name to the server (in plaintext).

3. The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.

4. The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.

5. The server sends the following three items to the domain controller:

User name
Challenge sent to the client
Response received from the client

6. The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.

7. The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

Your application should not access the NTLM security package directly; instead, it should use the Negotiate security package. Negotiate allows your application to take advantage of more advanced security protocols if they are supported by the systems involved in the authentication. Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.

NTLM working in terms of status codes:

Windows NT Challenge/Response protocol

Windows NT Challenge/Response (NTCR) protocol differs from Kerberos in that the server presents the HTTP client with a "challenge" and the client responds with its response. This way, the client's password is never sent over the network. Authentication with the NTCR protocol occurs as follows:

1. Typically, the client issues an initial anonymous request. When the anonymous request is rejected, IIS returns a 401.2 error and the WWW-Authenticate headers.

2. If the client fails or does not support Kerberos, the Negotiate and NTLM header values initiate an NTCR authentication exchange. The client closes the TCP connection, opens a new one, and sends a request that includes an Authorization: NTLM header. This header also includes encoded text that represents the users UserName, ComputerName, and Domain. This text is used by the Windows Security Support Provider Interface (SSPI) to generate the challenge. If the user account is not a local Windows account on the IIS server, the data is passed on to an appropriate domain controller, which then generates the challenge.

3. The challenge is sent to the client and IIS returns another 401.1 error.

4. The client uses its password and the challenge to create a mathematical hash. The client sends the hash back to the server in another Authorization: NTLM header.

5. The server accepts the response, and the local security provider or the appropriate domain controller recreates the same hash and compares the two. If they match, the user is successfully authenticated.

Friday, January 17, 2020

Event ID 4625 - An account failed to logon

Event ID 4625 - An account failed to logon

Json log sample:

{

"EventTime": "2017/08/25 14:09:12"

"Hostname": "CIVDCS-ADC1.changeme.com"

"Keywords": -9218868437227405312

"EventType": "AUDIT_FAILURE"

"SeverityValue": 4

"Severity": "ERROR"

"EventID": 4625

"SourceName": "Microsoft-Windows-Security-Auditing"

"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"

"Version": 0

"Task": 12544

"OpcodeValue": 0

"RecordNumber": 56611365

"ProcessID": 528

"ThreadID": 4672

"Channel": "Security"

"Message": "An account failed to log on."

"Category": "Logon"

"Opcode": "Info"

"SubjectUserSid": "S-1-0-0"

"SubjectUserName": "-"

"SubjectDomainName": "-"

"SubjectLogonId": "0x0"

"TargetUserSid": "S-1-0-0"

"TargetUserName": "MININT-UP26I95$"

"TargetDomainName": "changeme"

"Status": "0xc000006d"

"FailureReason": "%%2313"

"SubStatus": "0xc000006a"

"LogonType": "3"

"LogonProcessName": "NtLmSsp "

"AuthenticationPackageName": "NTLM"

"WorkstationName": "MININT-UP26I95"

"TransmittedServices": "-"

"LmPackageName": "-"

"KeyLength": "0"

"ProcessName": "-"

"IpAddress": "172.23.130.64"

"IpPort": "65284"

"EventReceivedTime": "2017/08/25 14:09:12"

"SourceModuleName": "wineventlog_in"

"SourceModuleType": "im_msvistalog"

}

This event is very important and highly valuable. It documents all failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.

Subject User Information:
"SubjectUserSid"
"SubjectUserName"
"SubjectDomainName"
"SubjectLogonId"
This provides an information of account that request logon but not the actual user who logged on. This information are in general not that important from audit perspective but still there could be some cases where you would want to look into this. To find information regarding user who logged on we need to refer to Target User Information as below.

Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
"TargetLogonId" -> This is unique number between each reboot and it identifies each logon session.
This provides an information about the user who just logged. To determine whether the account is local or domain compare TargetDomainName to the computer name. If they match, the account is a local account on that system, otherwise a domain account.

Type of logon:
"LogonType" -> This defines the type of logon. Possible values are as follows

	logon_type	description
	2	Interactive
	3	Network
	4	Batch
	5	Service
	7	Unlock
	8	NetworkCleartext
	9	NewCredentials
	10	RemoteInteractive
	11	CachedInteractive

Status and Sub Status Code:

status and sub_status_code	description
0XC000005E	There are currently no logon servers available to service the logon request.
0xC0000064	user name does not exist
0xC000006A	user name is correct but the password is wrong
0XC000006D	This is either due to a bad username or authentication information
0XC000006E	Unknown user name or bad password.
0xC000006F	user tried to logon outside his day of week or time of day restrictions
0xC0000070	workstation restriction or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000071	expired password
0xC0000072	account is currently disabled
0XC00000DC	Indicates the Sam Server was in the wrong state to perform the desired operation.
0xC0000133	clocks between DC and other computer too far out of sync
0xc000015b	The user has not been granted the requested logon type (aka logon right) at this machine
0XC000018C	The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192	An attempt was made to logon but the netlogon service was not started.
0XC0000193	account expiration
0XC0000224	user is required to change password at next logon
0xC0000225	evidently a bug in Windows and not a risk
0xC0000234	user is currently locked out
0XC0000413	Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.

Failure Reason:

			Failure reason	information
			%%2305	The specified user account has expired.
			%%2309	The specified account's password has expired.
			%%2310	Account currently disabled.
			%%2311	Account logon time restriction violation.
			%%2312	User not allowed to logon at this computer.
			%%2313	Unknown user name or bad password.

Network Information:

"IpAddress" -> IP address of the computer where the user is physically present
"IpPort" -> source TCP port of the logon request

"WorkstationName" -> the computer name of the computer where the user is physically present. Workstation may be blank in some Kerberos logons.

Why should you monitor this event?

To detect brute-force, dictionary, and other password guess attacks. Monitor sudden spike in failed logons.
To detect abnormal and possible malicious internal activity. Monitor a logon attempt from a disabled account or unauthorized workstation, users logging on outside of normal working hours, etc.
To benchmark Account lockout threshold policy setting. Determine number of failed login attempts before a user account gets locked.
To comply with regulatory mandates precise information surrounding failed logons is necessary.

Windows - List of Audit Events

Audit Event IDs list

Audit account logon events

Event ID	Description
4776	The domain controller attempted to validate the credentials for an account
4777	The domain controller failed to validate the credentials for an account
4768	A Kerberos authentication ticket (TGT) was requested
4769	A Kerberos service ticket was requested
4770	A Kerberos service ticket was renewed

Audit account management

Event ID	Description
4741	A computer account was created.
4742	A computer account was changed.
4743	A computer account was deleted.
4739	Domain Policy was changed.
4782	The password hash an account was accessed.
4727	A security enabled global group was created.
4728	A member was added to a security enabled global group.
4729	A member was removed from a security enabled global group.
4730	A security enabled global group was deleted.
4731	A security enabled local group was created.
4732	A member was added to a security enabled local group.
4733	A member was removed from a security enabled local group.
4734	A security enabled local group was deleted.
4735	A security enabled local group was changed.
4737	A security enabled global group was changed.
4754	A security enabled universal group was created.
4755	A security enabled universal group was changed.
4756	A member was added to a security enabled universal group.
4757	A member was removed from a security enabled universal group.
4758	A security enabled universal group was deleted.
4720	A user account was created.
4722	A user account was enabled.
4723	An attempt was made to change an account's password.
4724	An attempt was made to reset an account's password.
4725	A user account was disabled.
4726	A user account was deleted.
4738	A user account was changed.
4740	A user account was locked out.
4765	SID History was added to an account.
4766	An attempt to add SID History to an account failed.
4767	A user account was unlocked.
4780	The ACL was set on accounts which are members of administrators groups.
4781	The name of an account was changed:

Audit directory service access

Event ID	Description
4934	Attributes of an Active Directory object were replicated.
4935	Replication failure begins.
4936	Replication failure ends.
5136	A directory service object was modified.
5137	A directory service object was created.
5138	A directory service object was undeleted.
5139	A directory service object was moved.
5141	A directory service object was deleted.
4932	Synchronization of a replica of an Active Directory naming context has begun.
4933	Synchronization of a replica of an Active Directory naming context has ended.

Audit logon events

Event ID	Description
4634	An account was logged off.
4647	User initiated logoff.
4624	An account was successfully logged on.
4625	An account failed to log on.
4648	A logon was attempted using explicit credentials.
4675	SIDs were filtered.
4649	A replay attack was detected.
4778	A session was reconnected to a Window Station.
4779	A session was disconnected from a Window Station.
4800	The workstation was locked.
4801	The workstation was unlocked.
4802	The screen saver was invoked.
4803	The screen saver was dismissed.
5378	The requested credentials delegation was disallowed by policy.
5632	A request was made to authenticate to a wireless network.
5633	A request was made to authenticate to a wired network.

Audit object access

Event ID	Description
5140	A network share object was accessed.
4664	An attempt was made to create a hard link.
4985	The state of a transaction has changed.
5051	A file was virtualized.
5031	The Windows Firewall Service blocked an application from accepting incoming connections on the network.
4698	A scheduled task was created.
4699	A scheduled task was deleted.
4700	A scheduled task was enabled.
4701	A scheduled task was disabled.
4702	A scheduled task was updated.
4657	A registry value was modified.
5039	A registry key was virtualized.
4660	An object was deleted.
4663	An attempt was made to access an object.

Audit policy change

Event ID	Description
4715	The audit policy (SACL) on an object was changed.
4719	System audit policy was changed.
4902	The Per user audit policy table was created.
4906	The CrashOnAuditFail value has changed.
4907	Auditing settings on object were changed.
4706	A new trust was created to a domain.
4707	A trust to a domain was removed.
4713	Kerberos policy was changed.
4716	Trusted domain information was modified.
4717	System security access was granted to an account.
4718	System security access was removed from an account.
4864	A namespace collision was detected.
4865	A trusted forest information entry was added.
4866	A trusted forest information entry was removed.
4867	A trusted forest information entry was modified.
4704	A user right was assigned.
4705	A user right was removed.
4714	Encrypted data recovery policy was changed.
4944	The following policy was active when the Windows Firewall started.
4945	A rule was listed when the Windows Firewall started.
4946	A change has been made to Windows Firewall exception list. A rule was added.
4947	A change has been made to Windows Firewall exception list. A rule was modified.
4948	A change has been made to Windows Firewall exception list. A rule was deleted.
4949	Windows Firewall settings were restored to the default values.
4950	A Windows Firewall setting has changed.
4951	A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952	Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953	A rule has been ignored by Windows Firewall because it could not parse the rule.
4954	Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956	Windows Firewall has changed the active profile.
4957	Windows Firewall did not apply the following rule:
4958	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
6144	Security policy in the group policy objects has been applied successfully.
6145	One or more errors occurred while processing security policy in the group policy objects.
4670	Permissions on an object were changed.

Audit privilege use

Event ID	Description
4672	Special privileges assigned to new logon.
4673	A privileged service was called.
4674	An operation was attempted on a privileged object.

Audit system events

Event ID	Description
5024	The Windows Firewall Service has started successfully.
5025	The Windows Firewall Service has been stopped.
5027	The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028	The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029	The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030	The Windows Firewall Service failed to start.
5032	Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033	The Windows Firewall Driver has started successfully.
5034	The Windows Firewall Driver has been stopped.
5035	The Windows Firewall Driver failed to start.
5037	The Windows Firewall Driver detected critical runtime error. Terminating.
4608	Windows is starting up.
4609	Windows is shutting down.
4616	The system time was changed.
4621	Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4697	A service was installed in the system.
4618	A monitored security event pattern has occurred.