como analizar la actividad de un usuario en windows
DESCRIPTION
dsfsdfsdfsdfsdfsdfsdfsdfsdfsdfsd dsfsdfsdfsdfsdfsdfsdfsdfsdfsdfsddsfsd dfsdf sdfsd sdfsdf sdf sd fsd fsdTRANSCRIPT
© 2008 Monterey Technology Group Inc. 1
Beyond Single Event Analysis: Analyzing Multiple Events to Reduce
False Positives and Gain DeeperFalse Positives and Gain Deeper Insight into the Security Log
© 2008 Monterey Technology Group Inc.
Commissioned by:
Download the slides here
www.ultimatewindowssecurity.com/latestwebinar/slides.pdf
UltimateWindowsSecurity.com
Brought to you by
www.sensage.com
© 2008 Monterey Technology Group Inc.
SpeakerBrad Kekst
© 2008 Monterey Technology Group Inc. 2
UltimateWindowsSecurity.com Preview of Key Points
How long…Was a user logged on?ggDid a program run?Was a file open?
What permissions were really exercised?For any event…
How was the user logged on?
© 2008 Monterey Technology Group Inc.
How was the user logged on?What computer was the user at?
Reducing noise
UltimateWindowsSecurity.com How long…
Was a user logged in?Logon event (528)Logon event (528) Logoff event (551) Link by Logon ID
• Event 528 • Various
t
Session• Event 551
Same Logon ID
© 2008 Monterey Technology Group Inc.
Logonevents
Logoff
Same Logon ID
© 2008 Monterey Technology Group Inc. 3
UltimateWindowsSecurity.com How long…
Did a program run?Process start event – 592Process start event 592Process close event – 593Link by Process ID
• Event 592 • Various
t
Runs• Event 593
Same Process ID
© 2008 Monterey Technology Group Inc.
Startevents
Close
Same Process ID
UltimateWindowsSecurity.com How long…
Was a file open?File open – 560File open 560File close – 562Link by Handle ID
• Event 560 • Event
567
Access• Event 562
Same Handle ID
© 2008 Monterey Technology Group Inc.
Open567
Close
Same Handle ID
© 2008 Monterey Technology Group Inc. 4
UltimateWindowsSecurity.com What permissions were really exercised?
560 - File openOnly tells you what types of access files were y y yprequested when opening a file but not whether that access was actually used
567 – Access attemptOnly tells you the permission exercised – not the file name
© 2008 Monterey Technology Group Inc.
SolutionLink 560 and 567 by handle id to get file name and permissions actually exercised
UltimateWindowsSecurity.com Linking back to the logon event
For any event…How was the user Object Open:
Object Server:Security
logged on?What computer was the user at?
Link back to the logon event
Event 528 or 540
Object Server:SecurityObject Type:FileObject Name:C:\ConfidentialFiles\ ProjectPlan.doc.txtNew Handle ID:1468 Operation ID:{0,1023441} Process ID:1688 Image File Name:C:\WINDOWS\ system32\ notepad.exe Primary User Name:administratorPrimary Domain:ELMW2 Primary Logon ID:(0x0,0x558DD)
© 2008 Monterey Technology Group Inc.
Event 528 or 540Same Logon IDPrecedes event in question
Successful Logon:
User Name:administratorDomain:ELMW2 Logon ID:(0x0,0x558DD) Logon Type:2 ….
© 2008 Monterey Technology Group Inc. 5
UltimateWindowsSecurity.com Linking back to the logon event
How was the user logged on?Check Logon TypeCheck Logon Type
Successful Logon:
User Name:administratorDomain:ELMLogon ID:(0x0,0x558DD) Logon Type:2 Logon Process:User32 Authentication Package:NegotiateWorkstation Name:W2MS Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2} Caller User Name:-
© 2008 Monterey Technology Group Inc.
Caller Domain:-Caller Logon ID:-Caller Process ID: -Transited Services: -Source Network Address:10.42.42.170 Source Port:3165
UltimateWindowsSecurity.com Linking back to the logon event
How was the user logged on?Check Logon TypeCheck Logon Type
Logon Type Description
2Interactive (logon at keyboard and screen of system)
3
Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon ‐ Never logged by 528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task)5 Service (Service startup)
NetworkCleartext (Logon with credentials sent in the clear text
© 2008 Monterey Technology Group Inc.
8
NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
10RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
© 2008 Monterey Technology Group Inc. 6
UltimateWindowsSecurity.com Linking back to the logon event
What computer was the user at?Check IP address and workstation nameCheck IP address and workstation name
Successful Logon:
User Name:administratorDomain:ELMLogon ID:(0x0,0x558DD) Logon Type:2 Logon Process:User32 Authentication Package:NegotiateWorkstation Name:W2MS Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2} Caller User Name:-
© 2008 Monterey Technology Group Inc.
Caller Domain:-Caller Logon ID:-Caller Process ID: -Transited Services: -Source Network Address:10.42.42.170 Source Port:3165
UltimateWindowsSecurity.com Tying It All Together
© 2008 Monterey Technology Group Inc.
From my security log poster www.ultimateWindowsSecurity.com/grok
© 2008 Monterey Technology Group Inc. 7
UltimateWindowsSecurity.com Reducing noise
Reducing noiseBogus account enabledBogus account enabledBogus password resets
© 2008 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Reducing noise
Bogus account enabledWindows always logs a bogus accountWindows always logs a bogus account enabled event (626) after new accounts are created (624)Filter out 626s preceded by 624 in past 3 seconds where target user name is the same
© 2008 Monterey Technology Group Inc.
© 2008 Monterey Technology Group Inc. 8
UltimateWindowsSecurity.com Reducing noise
Bogus password resetsWindows always logs a bogus accountWindows always logs a bogus account password reset event (628) after new accounts are created (624)Filter out 628s preceded by 624 in past 3 seconds where target user name is the same
© 2008 Monterey Technology Group Inc.
UltimateWindowsSecurity.com Bottom line
Multi-event analysis at report time is toughRequires correlated sub-query capability inRequires correlated sub query capability in the query engine…
© 2008 Monterey Technology Group Inc.
© 2008 Monterey Technology Group Inc. 9
UltimateWindowsSecurity.com
Brought to you by
www.sensage.com
© 2008 Monterey Technology Group Inc.
SpeakerBrad Kekst
UltimateWindowsSecurity.com Want to Learn More?
Sensagewww.sensage.com
Windows SecurityTraining
[email protected] [email protected]
© 2008 Monterey Technology Group Inc.