logging for ir - syntricate · pdf file · 2016-04-071 logging for ir introduction....

34
4/7/16 1 Logging for IR Introduction

Upload: doandan

Post on 28-Mar-2018

218 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

1

LoggingforIR

Introduction

Page 2: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

2

• Introduction• OverviewofusinglogsforIR• Planninglogs• Detectionwithlogs• Investigationoflogs• Reportingusinglogs• OSSECLogconsolidationexample

ClassObjectives

Introduction

RobertComella

ITConsultantandEducator

GSEGCFWGSEC

GLDRGSPAGCIH

GCIAGCPMCISSP

Page 3: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

3

Introduction

Gettingtoknowyou

Whatdoyoudo?Howdoyourateyourcybersecurity

knowledge?

Introduction

Currentsetup• LoggedintoWindows7GuestviaLogmein• TheguestisrunningonanUbuntuLTSsystem• ToviewtheUbuntusystemDoubleclickontheView_Server_##Icon.

• Donotviewthelowerrightworkspace(itwillshowinfiniteframeswithinframes)

Page 4: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

4

RoleofLogsinIncidentResponse

LogsinIR

Page 5: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

5

Logs:Preparation

• CreateLogPolicy• Whattolog• Howmuchdatatolog• Where tokeep logs• Howoftentorotatelogs• Howlongtokeep logs

• Defineknowngoodstates• Implementandauditlogpolicy

Logs:Detection

• LogsmajorsourceofIncidentdetection

• IRteamsshouldbeonthelookoutforimportantorunexpectedchanges• Newusersorgroups• SystemCrashes• AccessAttempts• Lackoflogs• Network Scans

Page 6: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

6

Logs:Detection

• Itisbesttoreviewlogseveryday• Thisisboringandrepetitive• Humansaregenerallybadatboringandrepetitive

• Softwarebasedonrulescanimprovedetection

• Ruleswillneedtobecustomizedfortheenvironment

Logs:Containment• Logsfrommultiplesourceswillindicatethespreadofanincident

• Specificeventsondifferentsystemswillbesignsofinfection

• IRteamcanusethattoseetheboundariesofaproblem

Page 7: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

7

Logs:Eradication• Logshelpinvestigatorstoseewhatchangesweremade• Filesthatwereadded• Usersthatarenew• Openports• NewSoftware

• Itisthenpossibletoremoveit

Logs:Recovery• Newlyrecoveredsystemshavelogsturnedup

• Theideaistoseeifinfectionre-occurs

• Iferadicationissuccessfulthenitshouldbeok

• Ifnotlogswillindicateundesiredchanges

Page 8: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

8

Logs:LessonsLearned

• Logreportswillshoweventsastheyhappened

• Usethemtoinformmanagementofthingsthatwentwellandpoorly

PlanningWindowsLogs

Page 9: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

9

• What Microsoft OS’s logs normally• What Microsoft OS’s can log

• **Suggestions for both**

Objectives

PreVersion7EventViewer

Page 10: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

10

PostVersion7EventViewer

• DefaultwitheveryWindowsInstallation– AlthoughitsnottheonlyWindowslogfiles– Itcanauditsuccessesandfailures

• Application• Errors,Warnings,and Information

• Security• Dropped Packets,SuccessfulConnections• Logon/Logoffs

• System• Systemspecificevents

ModernWindows:ThreeMainLogs

Page 11: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

11

• EventsloggedbysoftwareinstalledonaMicrosoftoperatingsystem

• Loglevelssetbyprogramdevelopers• Sometimestheycanbesetbyusers• NotallmessagesareusefulforAdmins(meantforProgramdevelopers)

• Eventshavethreelevelsofseverity

ModernWindows:Application

• Error:Asignificantproblemthathasorcouldcausedataloss– Application Failures/Crashes– BufferOverflows– Unexpected Shutdowns

• Warning:Aproblemthatisnotseriousnowbutcouldbecomesoifignored– MissingDLL’s– Incomplete installations– Troublesome firewallsettings

• Information:Describesanactionofaprogram.Canbealmostanythingadeveloperwantstoplaceintothelogs

ModernWindows:LogSeverity

Page 12: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

12

• SimilartoApplicationlogs• DealsspecificallywithOperatingsystemevents

– Installationandremovalofsoftware– Patchstatus(installationsuccessorfailure)– Startupandshutdown messages– Driverinformation

• SamethreestatesasProgramEvents(Error,Warning,andInformation)

ModernWindows:SystemEvents

• Dealsspecificallywithinstallationofpatchesandothersoftware

• DomaincontrollerswillplaceadditionalinformationhereregardingActiveDirectoryeventsaswell

• Usesthesamethreestatesassystemandapplicationlogs

ModernWindows:SetupEvents

Page 13: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

13

• Moreonthislater• Theseareeventsforwardedfromotherotherservers

• ThisispartofMicrosoft’sCentralLogsolution

ModernWindows:ForwardedEvents

• Tracksresourceuseonacomputer• Entriesarecalledaudits• Entrieshavetwostates

– Success: Whateverwasattemptedwaspermitted– Failure:Whateverwasattemptedfailed.Usuallyareasoncodeisincluded

• TheseeventsareMASSIVELYconfigurable• Veryfewareenabledinastandardinstall

ModernWindows:SecurityEvents

Page 14: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

14

WindowsLogsLab1

ConfiguringWindowsLogs:LocalPolicy

• Securityloggingismodifiedinthelocalsecuritypolicyapplet

• Togetthere1. Clickthestartorbicon2. Type“local security

policy”3. Clickononeoftheresults

1

2

3

Page 15: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

15

ConfiguringWindowsLogs:LocalPolicy• Oncelocalsecuritypolicyisopenyoumustnavigatetotheauditpolicyfolder

1

2

1. Clickonthesmalltrianglenexttolocalpolicies2. Chooseauditpolicy

• Tracks successand failureofauthentication events• Domain Controllers

– Tracks requests fordomainresources– EvenitemsnotdirectlycontrolledbytheDC

• NonDomainControllers– Tracks accountsforlocalusers– Thisisuseful even inadomain

• Examples include– 4776DomainControllerattemptedtovalidatecredentialsforanaccount– 4777DomainControllerFailedtovalidatecredentialsforanaccount

• Recommendation: TrackSuccessandFailureonallmachines

AuditPolicy:AccountLogonEvents

Page 16: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

16

• Tracksaccount andgroup management– Computeraccounts– User Accounts– Groups

• Trackdifferentaspects– Creation– Destruction– Modification

• EventExamples– 4741Acomputeraccountwascreated– 4729Amemberwasremoved fromasecurityenabled globalgroup– 4720Auser accountwascreated

• Recommendation: TrackSuccessandFailureonallmachines

AuditPolicy:AccountManagement

• Tracksinteractiveandoverthenetworklogonstoacomputer– Tracksuserlog-ons– Replyattacks– Screenlockandunlockevents– Authenticationtoawirelessnetwork

• Eventexamples– 4634Anaccountwasloggedoff– 4624Anaccountwassuccessfully loggedon

• Recommendation:LogSuccessandFailureforallmachines

AuditPolicy:LogonEvents

Page 17: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

17

• Thelogoneventtracksthelogonitself• Thereareseveraldifferenttypesofpossiblelogins

• Eacheventwillcontainantypecode• Examples

– 2,Interactive:Auserloggedonfromconsoletothiscomputer.

– 3,Network: Auserorcomputer loggedontothiscomputerfromthenetwork.

AuditPolicy:LogonEventtypes

• Trackschangestotheauditpoliciesthemselves– Changes– Additions– Removals

• EventExamples– 4715Theauditpolicy(SACL)onanobjectwaschanged– 4902Theperuserauditpolicy tablewascreated

• Recommendations:Auditsuccessandfailure.Changesshouldonlybedonebyknownindividualsandshouldbefullydocumented

AuditPolicy:PolicyChangeEvents

Page 18: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

18

• Thiswillauditlowlevelprocessexecution– Codeexecution– File systemhandlecreationandrelease– Indirectobjectaccess– OtherlowlevelOSbehaviors

• Usuallyreservedforsystemdebugging• Cancausesignificantcomputerlag• Recommendation:Shouldremainoffunlessuserspecificallyneedsit

AuditPolicy:ProcessTrackingEvents

• Willtrackeachsuccess orfailureofauserrightaswellastheassignment oftheright

• Mostprivilegescoveredsome arenot– BypassTraverse checking– Debugprograms– Create a tokenobject– Replace processlevel token– Generate securityaudits– Backup/Restore FilesandDirectories

• Exampleevents– 4672Specialprivileges assigned tonew logon– 4673Aprivileged service wascalled

• Recommendations:Logonlyfailures,loggingsuccesses willfillthelogswiththousandsofevents duringnormalcomputeruse.

AuditPolicy:PrivilegeUseEvents

Page 19: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

19

• Tracksmajorsystemevents– ComputerStart– ComputerShutdown– ClearingSystemlogs

• Eventexamples– 4608Windows isstartingup– 4609Windows isshuttingdown– 1102LogClear

• Recommendations:Auditsuccessandfailure

AuditPolicy:SystemEvents

WindowsLogsLab2

Page 20: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

20

• Youmayhavenoticedweskippedtwo– AuditDirectory ServiceAccess– AuditObjectAccess

• Turningthemonisonlythefirststep• OnceonitisnecessarytomodifytheSecurityAccessControlListsofindividualitems(SACL’s)

AuditDirectoryServiceAccessandObjects

• Tracksaccesstoactivedirectoryobjects• TracksobjectsonlywhentheirSACLissettobetracked• Getsprettydeeponwhattoauditandwhatnotto• Recommendation

– Theoverallpolicy shouldbesettotracksuccessandfailure– Thisonlyenables theSACL’sonADobjects– IftheSACL’sarenotsetthenthiswilldonothing

AuditPolicy:DirectoryServiceAccess

Page 21: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

21

ADSACL’sSettingupanSACLforanADobject

1. Turnonadvancedfeatures intheviewmenu

2. RightclickonanADobjectchoosepropertiesandthenthesecuritytab

3. Clicktheadvancedbutton

4. Choosetheauditingtab

5. Finallychooseadd

12

3

4

5

• SimilartoADobjectaccessonlyitdealswithallthingsnotintheADcontainers– Files– Folders– Printers– Registrykeys– BasicallyEVERYTHING else

• AgainthisonlyturnsontheSACL’s• EachobjectmusthaveitsindividualSACLsettocreateevents• Recommendation

– Setthistosuccessand failure– Otherwise SACL’snot active

AuditPolicy:AuditObjectAccess

Page 22: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

22

• Itispossibletotrackeverything– Don’t!– Willcausecomputerslowdowns(asmuchas50%)– Toomuchuseless data

• Thingstoconsider(Generalpractice)– FilesandfoldersthatcontainproprietaryorsensitivedatafortheEveryonegroup(oranyothergroupthatshould nothaveaccess)

– AvoidAuditingRead/Listevents(producestremendousdata)– Donotauditexecuteactionsonexecutablefiles

• Possibleexception:Sensitiveordangeroustoolssuchasthoseintheadministrativetoolsfolder

SACL’sWhattotrack?

• Typeofserverisusuallyabaseline– IISserversarecommonlyattacked trackingheavilymaybejustified

– Domain controllersarebusybutusuallyinamoresecure location,trackinglesshere islikelyOK

– Database serversmaywishtotrackaccesstothedata

SACL’sWhattotrack?

Page 23: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

23

• %Systemroot%and%ProgramFiles%-- UserEveryone– Delete– CreateFiles/WriteData– CreateFolders /Append Data– WriteAttributes– Change Permissions

• Why– Applications should writealltheir temp filesto%TEMP%not to

%Systemroot%and%ProgramFiles% ifthat isnothappening then itisinteresting

– Notallprogramsarewellbehaved -- individually markoutofordinarybehavior

SACL’sWhattotrack?

• %TEMP%-- Usereveryone– Carefulherecancausemassivedata– Ifyouareparanoidthenyoucan– Keepitsmall

• ChangePermissions• WriteAttributes• WriteExtendedAttributes

• AbetterapproachmaybetosimplyuseAntivirus

SACL’sWhattotrack?

Page 24: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

24

• Allfilesandfoldersallusers• Track

– Takeownership– ChangePermissions

• Printers– Mostoftheirfunctions canbetrackedforeveryone– Doesnotproducemuchdataevenonabusyprinter– Notamajorsourceofbadness butcanfindmisuse

SACL’sWhattotrack?

• WhataboutADandregistry?• Ifyouhaveweekstoplaywiththemdoso!• Ifyouwantaneasiersolutiondonotstartfromscratch.• Securitytemplatesareavailable

– Microsoft– NSA– NIST– CIS

• Thetemplatescontaingoodsettingsfordifferentservers

SACL’sWhattotrack?

Page 25: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

25

WindowsLogsLab3

WindowsLogPlanningContinued

Page 26: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

26

• IfthewindowsserverisrunningDNSaDNSlogwillexist

• ItcanbeviewedfromwithintheDNSservice– ChooseDNSeventsfromtheconsole tree– DNSà [DNSServername]à EventViewerà DNSEvents

• ItcontainseventswhichrefertoDNSserveroperations

WindowsSpecialLogs:DNS

• Logfileschanged location– IIS5.0/6.0:%SYSTEMROOT%\System32\Logfiles– IIS7andup:%SYSTEMDRIVE%– ItisalsopossibletologdirectlytoanODBCcompliantdatabase

• SQL• Mysql• Access

• Logsarecontrolled fromwithin IIS– Bydefaultalllogsare on– Logscanbecontrolledfilebyfile

• Select properties onafile• Select the file tabanduncheck the“LogVisits”box(Before7)• There isan Iconnowafter 7

• Logsstored inanextended text format

WindowsSpecialLogs:IIS

Page 27: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

27

• IISLoghelpfulhints– GetthemofftheserverASAP– Maintargetforhackers– WGETorSSLcanworkifnotusingODBCalready

WindowsSpecialLogs:IIS

• Priortowindows7eventlogsarestoredinaproprietaryformat(.evt)

• Theywerelocatedinthedirectory%SYSTEMROOT%\system32\config

• From7onthelogsarestoredinacompressedxmlformat

• Theyarenowlocatedin%SYSTEMROOT%\System32\Winevt\LOGS

• Itispossibletomovethefilestoadifferentlocation

LogFormatandlocation

Page 28: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

28

• Logfilescannotgrowforever• Theyareassignedafinitesize

– Priortowin7thetotalsizehadtobekeptbelow300MB• Awellknown bugstilloccurs• Itprevents allevents frombeingwritten tothe logs

– FromWin7onthesizecangrowuptothesizeofthevolumethatcontainsthefile

• Logfilesizescanbemanuallysetorsetbysecuritytemplates

• 1MBcontainsabout7500logentries

LogFormatandlocation

• Overwriteeventsasneeded:Itwillstartwiththeoldesteventsandsimplybegintooverwrite

• Overwriteeventsolderthanxdays:Thenumberofdayscanbesetbytheadminandthelogswillbeginoverwritingtheoldesteventgreaterthanxdaysold

• Donotoverwriteevents(Clearlogsmanually):Justlikeitsays.Logsmustbeclearedmanually– Messagesarelostataminimum– Someapplicationswillnotrunwithoutloggingsothereforetheserverusuallyhangs

Optionsforfulllogfiles

Page 29: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

29

Paranoidenvironments– Neveroverwrite– Canuseaprogramorascripttobackupuplogsthenclearthem

• Wevtutil sl<logname>/ca:<securityDescriptor>• Oneexample

– Ifattackersfilllogstocovertheirtracks• Serverwillhang• Butyou donot losethe logs• Theattackercansimplyclear logsthemselves iftheyhave theaccess

Optionsfordealingwithlogrotation

• CriticalServers– Overwriteafterxdays– Agoodplanistosetxtotwo timesyourbackup rate– Thatwayyouhavetwocompletesetof logsonyourbackuptapesatalltimes

• Otherservers/workstations– Overwriteasnecessary– Uptimeandlackofinterruptions forconvenience

Optionsfordealingwithlogrotation

Page 30: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

30

• Moreonthislater• Makestheattackersjobmuchmoredifficult

– Logsarenotontheservertomanipulate– Can’tfilluptheserver(unlessinextreme)

• Otheradvantagesexist• Therearesomechallengesthatmustbeovercome

Centrallogging

Appendix:Loggingoptions1of2• TraverseFolder/ExecuteFile• Traverse Folderallowsordeniesmovingthroughfolderstoreachotherf ilesorfolders,evenif theuserhasnopermissionsfor thetraversedfolders.TraverseFoldertakeseffectonly

whenthegrouporuserisnotgrantedtheBypasstraversecheckinguserrightintheGroupPolicyManagementConsole.Bydefault,theEveryonegroupisgrantedtheBypasstraversecheckinguserright.(Appliestofoldersonly.)

• Execute File allowsordeniesrunningprogramf iles.(Appliestof ilesonly.)• SettingtheTraverse FolderpermissiononafolderdoesnotautomaticallysettheExecuteFile permissiononallf ileswithin thatfolder.• ListFolder/ReadData• ListFolderallowsordeniesviewing f ilenames andsubfoldernameswithinthefolder.ListFolderaffectsthecontentsofthatfolderonlyanddoesnotaffectwhetherthefolderyouare

settingthepermissiononwillbelisted.(Appliestofoldersonly.)• ReadData allowsordeniesviewing datainf iles. (Appliestof ilesonly.)• ReadAttributes• Allowsordeniesviewingtheattributesof af ileorfolder,suchasread-onlyandhidden.Attributesaredef inedbyNTFS.• ReadExtendedAttributes• Allowsordeniesviewingtheextended attributesof af ileorfolder.Extendedattributesaredef inedbyprogramsandmayvarybyprogram.• CreateFiles/WriteData• Create Files allowsordeniescreatingf iles withinthefolder.(Appliestofoldersonly.)• Write Dataallowsordeniesmaking changes tothef ileandoverwritingexistingcontent.(Appliestof ilesonly.)• CreateFolders/AppendData• Create Foldersallowsordeniescreatingfolderswithinthefolder.(Appliestofoldersonly.)• AppendDataallowsordeniesmaking changestotheendof thef ilebutnotchanging,deleting,oroverwritingexistingdata.(Appliestof ilesonly.)• WriteAttributes• Allowsordenieschangingtheattributesof af ileorfolder,suchasread-onlyorhidden.Attributesaredef inedbyNTFS.• TheWriteAttributespermissiondoesnotimplycreatingordeletingf ilesorfolders;itonlyincludesthepermissiontomakechangestotheattributesof af ileorfolder.Toallow(ordeny)

create ordelete operations,seeCreateFiles/WriteData,CreateFolders/AppendData,DeleteSubfoldersandFiles,and Delete .• WriteExtendedAttributes• Allowsordenieschangingtheextendedattributesof af ileorfolder.Extendedattributesaredef inedbyprogramsandmayvarybyprogram.• TheWriteExtended Attributespermissiondoesnotimplycreatingordeletingf ilesorfolders;itonlyincludesthepermissiontomakechangestotheattributesofaf ileorfolder.Toallow

(ordeny) createordeleteoperations,see CreateFiles/WriteData,CreateFolders/AppendData,DeleteSubfoldersandFiles,and Delete.• DeleteSubfoldersandFiles• Allowsordeniesdeletingsubfoldersandf iles,evenif theDelete permissionhasnotbeengrantedonthesubfolderorf ile.

Page 31: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

31

Appendix:Loggingoptions2of2• Delete• Allowsordenies deleting the fileorfolder. If youdonothaveDelete permissionona fileorfolder,

youcanstilldelete it ifyouhavebeengranted Delete SubfoldersandFilesontheparent folder.• ReadPermissions• Allowsordenies readingpermissionsofthe fileorfolder, suchasFullControl,Read,andWrite.• ChangePermissions• Allowsordenies changingpermissionsofthefileor folder, suchasFullControl,Read, andWrite.• Take Ownership• Allowsordenies takingownershipofthe fileorfolder.The ownerofa fileorfoldercanalways

changepermissionsonit, regardless ofanyexistingpermissionsonthe fileorfolder.• Synchronize• Allowsordenies different threads towaitonthehandle forthe fileor folderandsynchronizewith

another thread thatmay signalit.Thispermissionappliesonlytomultithreaded, multiprocessprograms.

Appendix:LogonTypesLogon Type

Logon Title Description

2 Interactive A user logged on from console to this computer.

3 Network A user or computer logged on to this computer from the network.

4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5 Service A service was started by the Service Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext.

9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Page 32: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

32

W2k W2k3XP

Description

672 672 An authentication service (AS) ticket was successfully issued and validated (2000). An authentication service (AS) ticket was requested (2008). It is logged on DC Only.

673 673 A ticket granting service (TGS) ticket was granted. Win2003 and Win2008 use this for both successful and failed service ticket requests with the proper Kerberos result/failure code.

674 674 A security principal renewed an AS ticket or TGS ticket.

675 675 Preauthentication failed. This event is generated on a Key Distribution Center (KDC) for the Kerberos errors during authentication.

676 672 Authentication ticket request failed. See the Kerberos Error Code.

677 673 A TGS ticket was not granted (failed). This event 677 in Windows 2000 is replaced with 673 in Windows XP/2003 family) and 4769 with later versions with audit type/codes for failures.

678 678 An account was successfully mapped for logon to a domain account. Not common.

680 680 Account used for logon by. Logged for local user (local SAM) authentication. DC logs this event for NTLM authentication.

681 680 Logon failure on Windows 2000 for NTLM authentication. A domain account logon was attempted. This event is replaced with 680 in Windows XP/2003 family and 4776 with Windows 2008/Vista onwards with the audit type/codes for failures.

682 682 A user has reconnected to a disconnected terminal session.

683 683 A user disconnected a terminal session without logging off.

Appendix:PreVistaAccount(1of3)

W2k W2k3XP

Description

528 528 Successful logon: A user successfully logged on to a computer. For information about the type of logon, see the next section.

529 529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. For Windows 2008 and above, event ID 4625 logs every failed logon attempt with failure status code regardless of logon type or type of account.

530 530 Logon failure for a logon attempt to log on outside of the allowed time.

531 531 Logon failure for a logon attempt using a disabled account.

532 532 Logon failure for a logon attempt using an expired account.

533 533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.

534 534 Logon failure. The user attempted to log on with a type that is not allowed.

535 535 Logon failure. The password for the specified account has expired.

536 536 Logon failure. The Net Logon service is not active.

537 537 Logon failure. The logon attempt failed for other reasons. In some cases, the reason for the logon failure may not be known.

Appendix:PreVistaAccount(1of3)

Page 33: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

33

Appendix:Events(3of3)W2k W2k3

XPDescription

538 538 The logoff process was completed for a user.

539 539 Logon failure. The account was locked out at the logon.

540 540 Successful network logon: A user successfully logged on over a network.

538 551 A user initiated the logoff process. It is logged for Interactive and RemoteInteractive logons in place of logoff event 538/4634.

552 552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.

682 682 A user has reconnected to a disconnected terminal session.

683 683 A user disconnected a terminal session without logging off.

2012, 2008Vista, 7, 8

Description

4741 A computer account was created.

4742 A computer account was changed.

4743 A computer account was deleted.

4739 Domain Policy was changed.

4782 The password hash an account was accessed.

4727 A security enabled global group was created.

4728 A member was added to a security enabled global group.

4729 A member was removed from a security enabled global group.

4730 A security enabled global group was deleted.

4731 A security enabled local group was created.

4732 A member was added to a security enabled local group.

Appendix:AccountMgmt.(1of3)

Page 34: Logging for IR - Syntricate · PDF file · 2016-04-071 Logging for IR Introduction. 4/7/16 2 ... • Software based on rules can ... • %TEMP% --User everyone – Careful here can

4/7/16

34

2012, 2008Vista, 7, 8

Description

4733 A member was removed from a security enabled local group.

4734 A security enabled local group was deleted.

4735 A security enabled local group was changed.

4737 A security enabled global group was changed.

4754 A security enabled universal group was created.

4755 A security enabled universal group was changed.

4756 A member was added to a security enabled universal group.

4757 A member was removed from a security enabled universal group.

4758 A security enabled universal group was deleted.

4720 A user account was created.

4722 A user account was enabled.

Appendix:AccountMgmt.(2of3)

2012, 2008Vista, 7, 8

Description

4723 An attempt was made to change an account's password.

4724 An attempt was made to reset an account's password.

4725 A user account was disabled.

4726 A user account was deleted.

4738 A user account was changed.

4740 A user account was locked out.

4765 SID History was added to an account.

4766 An attempt to add SID History to an account failed.

4767 A user account was unlocked.

4780 The ACL was set on accounts which are members of administrators groups.

4781 The name of an account was changed:

Appendix:AccountMgmt.(3of3)