Security Basics mailing list archives
RE: Windows Log
From: "dave kleiman" <dave () davekleiman com>
Date: Thu, 19 Jan 2006 21:25:01 -0500
""" Now a script for pulling the logons from the workstations to correlate
your data.
Here you will see a 528 followed immediately by a 576."""
Should have been 576 followed by 528
Dave
-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com]
Sent: Thursday, January 19, 2006 21:09
To: 'security-basics () securityfocus com'
Cc: 'Nick Duda'
Subject: RE: Windows Log
Nick,
There is no way to say when "employees logon/logoff of a
PC physically on the network" unless you are keeping a
video log in correlation with a logon log, that shows the
user logging into the workstation.
If you would like to keep track of user-accounts and when
that user-account was utilized to logon the network you
could do the following:
First of all you will want understand the Event Ids, and
what each piece of each event stands for.
For instance the Logon type on Logon failures:
2 'Interactive - Intended for users who will be
interactively using the machine, such as a user being
logged on by a terminal server, remote shell, or similar process.'
3 'Network - Intended for high performance servers to
authenticate clear text passwords. LogonUser does not
cache credentials for this logon type.'
4 'Batch - Intended for batch servers, where processes may
be executing on behalf of a user without their direct
intervention; or for higher performance servers that
process many clear-text authentication attempts at a time,
such as mail or web servers. LogonUser does not cache
credentials for this logon type.'
5 'Service - Indicates a service-type logon. The account
provided must have the service privilege enabled.'
6 'Proxy - Indicates a proxy-type logon.'
ETC. ETC.
Two good resources for this are:
http://www.microsoft.com/technet/support/ee/ee_advanced.aspx
and
http://www.microsoft.com/downloads/details.aspx?familyid=95
A85136-F08F-4B20-942F-DC9CE56BCD1A&displaylang=en
Now if you want to find out when a workstation was
utilized to logon the domain, you would correlate the
workstations log with the DC log. First make sure the
auditing is on both the workstation and the DC.
You should start by downloading Microsoft® Log Parser:
http://www.microsoft.com/downloads/details.aspx?FamilyID=89
0cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
Secondly, you might benefit form buying the Microsoft Log
Parser Toolkit book as it covers much of this:
http://www.syngress.com/catalog/?pid=3110
Now we can make a script or 2 and retrieve the information
you want.
SELECT
TimeGenerated AS TimeGenerated,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
WHEN 2 THEN '2=Interactive'
WHEN 3 THEN '3=Network'
WHEN 4 THEN '4=Batch'
WHEN 5 THEN '5=Service'
WHEN 6 THEN '6=Proxy'
WHEN 7 THEN '7=Unlock'
WHEN 8 THEN '8=NetworkCleartext'
WHEN 9 THEN '9=NewCredentials'
WHEN 10 THEN '10=RemoteInteractive'
WHEN 11 THEN '11=CachedInteractive'
WHEN 13 THEN '13=CachedRemoteInteractive'
WHEN 14 THEN '14=CachedUnlock'
END AS Type
INTO SecEvtLogonSuccesTime.csv
FROM security
WHERE EventID IN (540) AND SourceAddress IS NOT NULL GROUP
BY User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
ORDER BY TimeGenerated DESC
Save this to a file SecEvtLogonSuccesTime.sql in the
Log Parser directory.
Run it from the command prompt in the Log Parser directory:
logparser file:SecEvtLogonSuccesTime.sql
It will output SecEvtLogonSuccesTime.csv Now you all the
logons form the DC.
By the way if you look in the event log, the successful
logons from network workstation authenticating to the DC,
you will see a 576 followed immediately by a 540.
Now a script for pulling the logons from the workstations
to correlate your data.
Here you will see a 528 followed immediately by a 576.
SELECT
TimeGenerated AS TimeGenerated,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
WHEN 2 THEN '2=Interactive'
WHEN 3 THEN '3=Network'
WHEN 4 THEN '4=Batch'
WHEN 5 THEN '5=Service'
WHEN 6 THEN '6=Proxy'
WHEN 7 THEN '7=Unlock'
WHEN 8 THEN '8=NetworkCleartext'
WHEN 9 THEN '9=NewCredentials'
WHEN 10 THEN '10=RemoteInteractive'
WHEN 11 THEN '11=CachedInteractive'
WHEN 13 THEN '13=CachedRemoteInteractive'
WHEN 14 THEN '14=CachedUnlock'
END AS Type
INTO SecEvtLogonSuccesTime_Remote-WS.csv
FROM \\%machine%\security
WHERE EventID IN (528) AND SourceAddress IS NOT NULL GROUP
BY User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
ORDER BY TimeGenerated DESC
Save this to a file
SaveSecEvtLogonSuccesTime_Remote-WS.sql in the Log
Parser directory.
Run it from the command prompt in the Log Parser directory:
logparser
file:SecEvtLogonSuccesTime_Remote-WS.sql?machine=THEWORKSTATIONNAME
It will output SecEvtLogonSuccesTime_Remote-WS.csv
Microsoft Log Parser Toolkit:
http://www.syngress.com/catalog/?pid=3110
And
Security Log Management: Identifying Patterns in the Chaos:
http://www.syngress.com/catalog/?pid=3440
If you need to know how to make it into a pretty HTML page
with pie charts etc. the answers our in there.
Additionally, you could come to the CyberCrime Summit:
http://www.southeastcybercrimesummit.com/schedule/SCHEDULE.HTM
I am giving 2 4-hour hands-on advanced Log Parser classes.
Regards,
Dave
______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
www.SecurityBreachResponse.com
-----Original Message-----
From: Nick Duda [mailto:nduda () VistaPrint com]
Sent: Thursday, January 19, 2006 09:56
To: security-basics () securityfocus com
Subject: RE: Windows Log
To continue this topic, I'm faced with the same thing....
The problem is that with all these event id's 672, 673,
540...etc there is still no positive way to say , when a
user logged on (via cntrl,alt delete) and logged off, as
in shutdown or log off.
My goal, is to use syslog or some other form of monitoring
to keep records of each employees logon/logoff of a PC
physically on the network. I've been knee deep into all
these event id's and nothing is accurate.
Please help.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Current thread:
- Re: Windows Log, (continued)
- Re: Windows Log Neil (Jan 17)
- Re: Windows Log hackman (Jan 17)
- RE: Windows Log Nick Duda (Jan 19)
- RE: Windows Log Ramsdell, Scott (Jan 20)
- RE: Windows Log dave kleiman (Jan 23)
- RE: Windows Log Nick Duda (Jan 20)
- Re: Windows Log List Spam (Jan 22)
- Re: Windows Log Ryan Cummings (Jan 22)
- Re: Windows Log Philippe De Ryck (Jan 23)
- RE: Windows Log dave kleiman (Jan 22)
- RE: Windows Log dave kleiman (Jan 22)
- RE: Windows Log Joe Quigley (Jan 22)
- RE: Windows Log Ramsdell, Scott (Jan 24)
- RE: Windows Log Meredith, Charles (HRD) (Jan 24)
- RE: Windows Log dave kleiman (Jan 26)
- RE: Windows Log Meredith, Charles (HRD) (Jan 26)