chapter 14: other audit events
DESCRIPTION
Chapter 14: Other Audit Events. Mastering Windows Network Forensics and Investigation. Chapter Topics:. Logging of Modifications to Groups, Accounts, Policies Object Access Logs. Changes to Accounts (Win XP). Event ID 624 records account creation - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/1.jpg)
Mastering Windows Network Forensics and Investigation
Chapter 14: Other Audit Events
![Page 2: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/2.jpg)
Chapter Topics:
• Logging of Modifications to Groups, Accounts, Policies
• Object Access Logs
![Page 3: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/3.jpg)
Changes to Accounts (Win XP)
• Event ID 624 records account creation
• Event ID 642 records changes to existing accounts
• Event ID 626 shows accounts being activated
![Page 4: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/4.jpg)
Changes to Accounts(Win Vista +)
• Event ID 4720records account creation
• Event ID 4738 records changes to existing accounts
• Event ID 4722 shows accounts being activated
![Page 5: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/5.jpg)
Changes to Accounts(Win XP)
• New Account Name is account being modified
• Caller User Name is account causing action
![Page 6: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/6.jpg)
Changes to Accounts(Win Vista +)
• New Account: Account Name is account being modified
• Subject: Security ID is account causing action
![Page 7: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/7.jpg)
Changes to Accounts
![Page 8: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/8.jpg)
Changes to Accounts
![Page 9: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/9.jpg)
Changes to Groups
• Changes to group membership are common ways to increase an attacker’s privilege level
• These events generate logs with the Event ID based on the type of group
![Page 10: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/10.jpg)
Changes to Groups
Vista +Event ID
Win XP/2003 Event ID
Action Indicated
4728 632 Member added to global security group
4729 633 Member removed from global security group
4732 636 Member added to local security group
4733 637 Member removed from local security group
4746 650 Member added to local distribution group
4747 651 Member removed from local distribution group
4751/4761 655 Member added to global distribution group
4752 656 Member removed from global distribution group
4756 660 Member added to universal security group
4757 661 Member removed from universal security group
N/A 665 Member added to universal distribution group
4762 666 Member removed from universal distribution group
![Page 11: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/11.jpg)
Changes to Groups(Win XP)
• The account that is impacted (added or removed from a group) is called the Member ID
• Group that is changed is called the Target Account Name
• The account that initiated the change is called the Caller User Name
![Page 12: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/12.jpg)
Changes to Groups(Win Vista +)
• The account that is impacted (added or removed from a group) is called the Member: Security ID
• Group is the group that is changed
• The account that initiated the change is called the Account Name
![Page 13: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/13.jpg)
Changes to Groups
![Page 14: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/14.jpg)
Changes to Audit Policy
• Event ID 612 shows the end result of a change in audit policy
![Page 15: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/15.jpg)
Changes to Audit Policy
• Event ID 4719 shows the end result of a change in audit policy
![Page 16: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/16.jpg)
Object Access
• Objects include files, folders, printers, etc.
• Auditing must be configured for each object
• The object handle can be used to correlate related events in the event log
![Page 17: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/17.jpg)
Object Access(Win XP)
• Event ID 560 records opening of handles
• Event ID 562 records closing of handles
• Event ID 567 shows which access permissions were actually used
![Page 18: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/18.jpg)
Object Access(Win Vista+)
• Event ID 4656 records opening of handles
• Event ID 4658 records closing of handles
• Event ID 4657 shows which access permissions were actually used
![Page 19: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/19.jpg)
Object Access
![Page 20: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/20.jpg)
Object Access
![Page 21: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/21.jpg)
Object Access
![Page 22: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/22.jpg)
Object Access
![Page 23: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/23.jpg)
Object Access
![Page 24: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/24.jpg)
Object Access
![Page 25: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/25.jpg)
Object Access
![Page 26: Chapter 14: Other Audit Events](https://reader035.vdocument.in/reader035/viewer/2022062217/56813825550346895d9fd2a4/html5/thumbnails/26.jpg)
Object Access