1. Windows Event Analysis Correlation for Investigation Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO 27001 Team Whitehat People Email: mpsinghrathore@yahoo.co.in LinkedIn: www.linkedin.com/in/mpsingrathore Facebook: www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com Twitter: @mpsinghrathore

2. Introduction Windows Events, giving opportunity to look into Microsoft Windows machines for troubleshooting as well as for security analysis and investigation and it is the best and important piece to start with in case if any security incident occurred. Windows machines generates events for all the user activities and activities related to applications and OS running on it. Ability to find the right Event through Event IDs and linking them with other event IDs with common parameters, which are generated in course of same action (User based, application or OS), shows the action performed and processes executed on machine. Windows event analysis is useful for Information security incident investigation as well as for audit purpose. 3. Login and Logout Events Event IDs 528 and 4624 indicates successful login on Windows 2003 XP and Windows 2008/12 respectively. And event IDs 551/4647 are generated when user logs off whether its a network connection or manually from keyboard. Event IDs 538/4634 generally follow these event IDs when user logs off from a windows machine. Logon event ID 528/4624 shows important detail of user ID, domain in which user logged in, Logon type, logon ID, time of logon, workstation name, which process was used for authentication and it also shows IP address and source port when logged in remotely. 4. Login and Logout Events Other then direct important piece of information given in login event ID, two main and very important field are Logon ID and Logon Type. Logon ID is used to correlate to many other event IDs which are generated during logon session. Using this logon ID, we find user who performed any particular action during the logon session. Similarly, Logon Type shows the method or the way user logged in the Windows machine. Whether its network logon (RDP), interactive logon (through keyboard), batch etc. 5. Logon Types Logon Type 2 Interactive We see type 2 logons when a user attempts to log on using local keyboard and screen whether with a domain account or a local account from the computers local SAM. To find the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the events description. Logon Type 3 Network Windows logs logon type 3 in most cases when we access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. 6. Logon Types Logon type 4 Batch When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Logon type 5 Service Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. 7. Logon Types Logon type 7 Unlock When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 identifying the event as a workstation unlock attempt. Logon type 8 Network Clear Text This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. 8. Logon Types Logon type 9 New Credential If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. Logon Type 10 Remote Interactive When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session 9. Logon Types Logon type 11 Cached Interactive Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to your organizations network and attempt to logon to your laptop with a domain account theres no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account. 10. Object Operation (Access, Open, Delete, Handle) In Windows machines, object access and operations performed on it are audited according to audit policies enforced on host machines through Domain Controller if machine is in domain environment. Any particular file or folder which needs to be monitored or investigated through Windows event should be enabled for audit through Windows Audit policies. If done so, any attempt to access, modify, delete, move will generate Windows events and through these events we can track user activity and their operations. 11. Object Operation (Access, Open, Delete, Handle) 560 (4656) Object Open - logged whenever a program opens an object. In Windows, a program first opens an object requesting certain types of access (i.e. read and/or write). Windows compares the objects ACL to the program's access token which identifies the user and groups to which the user belongs. The open may succeed or fail depending on this comparison. Regardless, Windows then checks the audit policy of the object. If the policy enables auditing for the user, type of access requested and the success/failure result, Windows records generates event 560. In the case of failed access attempts, event 560/4656 is the only event recorded. 12. Object Operation (Access, Open, Delete, Handle) 567 (4657, 4663) Object Access Attempt- Logs the actual permissions exercised by the user/program on the object after opening it. Event 567 asserts that the Accesses obtained for an object in Event 560 where actually used. 562 (4658) Handle Closed After successfully opening an object, a program eventually closes it which is documented by event 562/4658. Event 562 helps you determine how long the object was open. For this event to be useful you must link it back to the earlier event ID 560 (Object Open) with the same handle ID. 13. Object Operation - Correlation New Handle ID: When a program opens an object it obtains a handle to the file which it uses in subsequent operations on the object. We can link an event to other events involving the same session of access to an object by the program by looking for events with the same handle ID. To determine the name of the program used to open an object - Event 560 AND Event 592 AND Process ID (Common in both Event IDs) Event 4656 AND Event 4688 AND Process ID (Common in both Event IDs) 14. Object Operation - Correlation Object Open and Access Attempted Event ID 560 AND Event ID 567 AND Handle ID (Common in both Event IDs) Event ID 4656 AND Event ID 4663 AND Handle ID (Common in both Event IDs) Registry Key Open-Modified-Closed Event ID 4656 AND Event ID 4657 AND Event ID 4658 (with Same Handle ID) 15. Sample Object Access Event ID description This is how an event generated on Object Access shown in event viewer with detail mentioned. Subject: The user and logon session that performed the action. Security ID: The SID of the account. Account Name: The account logon name. Account Domain: The domain or - in the case of local accounts - computer name. Logon ID: is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session 16. Sample Object Access Event ID description contd Object: This is the object upon which the action was attempted. Object Server: always "Security" Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc. Object Name: The name of the object being accessed Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658) Resource Attributes: (Win2012) Resource attributes a new feature that allows you to classify objects according to any number of things like project, compliance, security level. It's part of dynamic access control new to Win2012. 17. Sample Object Access Event ID description contd Process Information: Process Name: identifies the program executable that accessed the object. Process ID: is the process ID specified when the executable started as logged in 4688. Access Request Information: Transaction ID: unknown. Accesses: These are permissions requested. The correspond to the permissions available in the Permission Entry dialog for any access control entry on the object. Access Reasons: (Win2012) This lists each permission granted and the reason behind - usually the relevant access control entry (in SDDL format). 18. Sample Object Access Event ID description contd Access Mask: this is the bitwise equivalent of Accesses. Access Mask Number Access Mask Action 1537 (0x10000) Delete 1538 Read_CONTROL 1541 synchronize 4416 (0x1) ReadData(or List Directory) 4417 (0x6) WriteData(or Add File) (0x2 on Windows 2008 Server) 4418 (0x4) AppendData (or AddSubdirectory) 4419 ReadEA 4420 WriteEA 4423 ReadAttributes 4424 WriteAttributes 4432 (0x1) Query Key Value 4433 (0x2) Set Key Value 4434 (0x4) Create Sub Key 19. Sample Object Access Event ID description contd Privileges Used For Access Check: Lists any privileges requested. The only time I'm aware of this field being filled in is when you take ownership of an object in which case you'll see SeTakeOwnershipPrivilege. Restricted SID Count: unknown. 20. Object Delete User Search Correlation To determine the Subject (Person) who deleted the Object:- Steps:- Object Deletion alert notification (Event ID 564/4660) will give Process ID. Use that Process ID to search objects open Event ID (Event ID 560/4656). Object Open Event ID (560/4656) will give Primary Logon ID. Now, search Hostname with Primary logon ID with inverted comma and Login event ID (528/4624), with AND logical operation (If any event management tool is used) It should give Login event on relevant host with login account name. 21. Object Delete User Search Correlation Final Query: - HOSTNAME = AND "Logon ID:" AND EVENTID = 528/4624 To determine the Object Deleted To determine the name of the object deleted look for a prior event 560 with the same handle ID. 22. General Search Queries Exact login events on server HOSTNAME = AND EVENTID = 4624/528 AND MESSAGE != "Logon Type: 3" User Login and Logout Duration EVENTID = 528/4624 (Logon event)EVENTID = 551/4647 (Logout event) Link with a common Logon ID for both logon and logout events User X successfully logged on a host: EVENTID = 4624 AND USERNAME = AND REMOTEHOST = 23. General Search Queries User account was changes EVENTID = 4738 AND USERNAME = Attempt was made to change an account's password EVENTID = 4723 AND USERNAME = User X failed to log on a host: EVENTID = 4625 AND USERNAME = AND REMOTEHOST = Check locked user account EVENTID = 4740 24. General Search Queries Check Failed authentication for a particular user on a remote host machine EVENTID = 4771 AND USERNAME = AND REMOTEHOST = Particular Object request by a user EVENTID = 4656 AND OBJECTNAME = AND HOSTNAME = AND USERNAME = 25. By Mahendra Pratap Singh MS Cyber Law & Security, Lead Auditor ISO 27001 Team Whitehat People Email: mpsinghrathore@yahoo.co.in LinkedIn: www.linkedin.com/in/mpsingrathore Facebook: www.facebook.com/mpsinghrathore1 Website: www.mpsinghrathore.com Twitter: @mpsinghrathore Content in slides is best of my understanding with the source. Thank You