Como Analizar La Actividad de Un Usuario en Windows

© 2008 Monterey Technology Group Inc. 1

Beyond Single Event Analysis: Analyzing Multiple Events to Reduce

False Positives and Gain DeeperFalse Positives and Gain Deeper Insight into the Security Log

© 2008 Monterey Technology Group Inc.

Commissioned by:

Download the slides here

www.ultimatewindowssecurity.com/latestwebinar/slides.pdf

UltimateWindowsSecurity.com

Brought to you by

www.sensage.com


SpeakerBrad Kekst


UltimateWindowsSecurity.com Preview of Key Points

How long…Was a user logged on?ggDid a program run?Was a file open?

What permissions were really exercised?For any event…

How was the user logged on?


How was the user logged on?What computer was the user at?

Reducing noise

UltimateWindowsSecurity.com How long…

Was a user logged in?Logon event (528)Logon event (528) Logoff event (551) Link by Logon ID

• Event 528 • Various

t

Session• Event 551

Same Logon ID


Logonevents

Logoff

Same Logon ID



Did a program run?Process start event – 592Process start event 592Process close event – 593Link by Process ID

• Event 592 • Various

t

Runs• Event 593

Same Process ID


Startevents

Close

Same Process ID


Was a file open?File open – 560File open 560File close – 562Link by Handle ID

• Event 560 • Event

567

Access• Event 562

Same Handle ID


Open567

Close

Same Handle ID


UltimateWindowsSecurity.com What permissions were really exercised?

560 - File openOnly tells you what types of access files were y y yprequested when opening a file but not whether that access was actually used

567 – Access attemptOnly tells you the permission exercised – not the file name


SolutionLink 560 and 567 by handle id to get file name and permissions actually exercised

UltimateWindowsSecurity.com Linking back to the logon event

For any event…How was the user Object Open:

Object Server:Security

logged on?What computer was the user at?

Link back to the logon event

Event 528 or 540

Object Server:SecurityObject Type:FileObject Name:C:\ConfidentialFiles\ ProjectPlan.doc.txtNew Handle ID:1468 Operation ID:{0,1023441} Process ID:1688 Image File Name:C:\WINDOWS\ system32\ notepad.exe Primary User Name:administratorPrimary Domain:ELMW2 Primary Logon ID:(0x0,0x558DD)


Event 528 or 540Same Logon IDPrecedes event in question

Successful Logon:

User Name:administratorDomain:ELMW2 Logon ID:(0x0,0x558DD) Logon Type:2 ….



How was the user logged on?Check Logon TypeCheck Logon Type

Successful Logon:

User Name:administratorDomain:ELMLogon ID:(0x0,0x558DD) Logon Type:2 Logon Process:User32 Authentication Package:NegotiateWorkstation Name:W2MS Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2} Caller User Name:-


Caller Domain:-Caller Logon ID:-Caller Process ID: -Transited Services: -Source Network Address:10.42.42.170 Source Port:3165


How was the user logged on?Check Logon TypeCheck Logon Type

Logon Type Description

2Interactive (logon at keyboard and screen of system)

3

Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon ‐ Never logged by 528 on W2k and forward. See event 540)

4 Batch (i.e. scheduled task)5 Service (Service startup)

NetworkCleartext (Logon with credentials sent in the clear text


8

NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.

10RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)

11CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)



What computer was the user at?Check IP address and workstation nameCheck IP address and workstation name

Successful Logon:

User Name:administratorDomain:ELMLogon ID:(0x0,0x558DD) Logon Type:2 Logon Process:User32 Authentication Package:NegotiateWorkstation Name:W2MS Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2} Caller User Name:-


Caller Domain:-Caller Logon ID:-Caller Process ID: -Transited Services: -Source Network Address:10.42.42.170 Source Port:3165

UltimateWindowsSecurity.com Tying It All Together


From my security log poster www.ultimateWindowsSecurity.com/grok


UltimateWindowsSecurity.com Reducing noise

Reducing noiseBogus account enabledBogus account enabledBogus password resets



Bogus account enabledWindows always logs a bogus accountWindows always logs a bogus account enabled event (626) after new accounts are created (624)Filter out 626s preceded by 624 in past 3 seconds where target user name is the same




Bogus password resetsWindows always logs a bogus accountWindows always logs a bogus account password reset event (628) after new accounts are created (624)Filter out 628s preceded by 624 in past 3 seconds where target user name is the same


UltimateWindowsSecurity.com Bottom line

Multi-event analysis at report time is toughRequires correlated sub-query capability inRequires correlated sub query capability in the query engine…



UltimateWindowsSecurity.com

Brought to you by

www.sensage.com


SpeakerBrad Kekst

UltimateWindowsSecurity.com Want to Learn More?

Sensagewww.sensage.com

Windows SecurityTraining

[email protected] [email protected]


Date post:	13-Apr-2015
Category:	Documents
Upload:	gonzag077
View:	85 times
Download:	0 times

Como Analizar La Actividad de Un Usuario en Windows

Documents