Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Windows Log

from [dave kleiman] Network Security [Permanent Link]
Subject: RE: Windows Log
Date: Thu, 19 Jan 2006 21:25:01 -0500 
""" Now a script for pulling the logons from the workstations to correlate
your data.
Here you will see a 528 followed immediately by a 576."""

Should have been 576 followed by 528

Dave


     -----Original Message-----
     From: dave kleiman [mailto:dave@davekleiman.com]
     Sent: Thursday, January 19, 2006 21:09
     To: 'security-basics@securityfocus.com'
     Cc: 'Nick Duda'
     Subject: RE: Windows Log

     Nick,

     There is no way to say when "employees logon/logoff of a
     PC physically on the network" unless you are keeping a
     video log in correlation with a logon log, that shows the
     user logging into the workstation.

     If you would like to keep track of user-accounts and when
     that user-account was utilized to logon the network you
     could do the following:

     First of all you will want understand the Event Id?s, and
     what each piece of each event stands for.
     For instance the Logon type on Logon failures:

     2 'Interactive - Intended for users who will be
     interactively using the machine, such as a user being
     logged on by a terminal server, remote shell, or similar process.'
     3 'Network - Intended for high performance servers to
     authenticate clear text passwords. LogonUser does not
     cache credentials for this logon type.'
     4 'Batch - Intended for batch servers, where processes may
     be executing on behalf of a user without their direct
     intervention; or for higher performance servers that
     process many clear-text authentication attempts at a time,
     such as mail or web servers. LogonUser does not cache
     credentials for this logon type.'
     5 'Service - Indicates a service-type logon. The account
     provided must have the service privilege enabled.'
     6 'Proxy - Indicates a proxy-type logon.'
     ETC. ETC.


     Two good resources for this are:
     http://www.microsoft.com/technet/support/ee/ee_advanced.aspx

     and

     http://www.microsoft.com/downloads/details.aspx?familyid=95
     A85136-F08F-4B20-942F-DC9CE56BCD1A&displaylang=en

     Now if you want to find out when a workstation was
     utilized to logon the domain, you would correlate the
     workstations log with the DC log.  First make sure the
     auditing is on both the workstation and the DC.

     You should start by downloading Microsoft® Log Parser:
     http://www.microsoft.com/downloads/details.aspx?FamilyID=89
     0cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

     Secondly, you might benefit form buying the Microsoft Log
     Parser Toolkit book as it covers much of this:
     http://www.syngress.com/catalog/?pid=3110


     Now we can make a script or 2 and retrieve the information
     you want.


     SELECT
        TimeGenerated AS TimeGenerated,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
        CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
                WHEN 2 THEN  '2=Interactive'
                WHEN 3 THEN  '3=Network'
                WHEN 4 THEN  '4=Batch'
                WHEN 5 THEN  '5=Service'
                WHEN 6 THEN  '6=Proxy'
                WHEN 7 THEN  '7=Unlock'
                WHEN 8 THEN  '8=NetworkCleartext'
                WHEN 9 THEN  '9=NewCredentials'
                WHEN 10 THEN '10=RemoteInteractive'
                WHEN 11 THEN '11=CachedInteractive'
                WHEN 13 THEN '13=CachedRemoteInteractive'
                WHEN 14 THEN '14=CachedUnlock'
        END AS Type
     INTO SecEvtLogonSuccesTime.csv
     FROM security
     WHERE EventID IN (540) AND SourceAddress IS NOT NULL GROUP
     BY User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
     ORDER BY TimeGenerated DESC


     Save this to a file ?SecEvtLogonSuccesTime.sql?  in the
     Log Parser directory.
     Run it from the command prompt in the Log Parser directory:
     logparser file:SecEvtLogonSuccesTime.sql

     It will output SecEvtLogonSuccesTime.csv Now you all the
     logons form the DC.
     By the way if you look in the event log, the successful
     logons from network workstation authenticating to the DC,
     you will see a 576 followed immediately by a 540.


     Now a script for pulling the logons from the workstations
     to correlate your data.
     Here you will see a 528 followed immediately by a 576.



     SELECT
        TimeGenerated AS TimeGenerated,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
        CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
                WHEN 2 THEN  '2=Interactive'
                WHEN 3 THEN  '3=Network'
                WHEN 4 THEN  '4=Batch'
                WHEN 5 THEN  '5=Service'
                WHEN 6 THEN  '6=Proxy'
                WHEN 7 THEN  '7=Unlock'
                WHEN 8 THEN  '8=NetworkCleartext'
                WHEN 9 THEN  '9=NewCredentials'
                WHEN 10 THEN '10=RemoteInteractive'
                WHEN 11 THEN '11=CachedInteractive'
                WHEN 13 THEN '13=CachedRemoteInteractive'
                WHEN 14 THEN '14=CachedUnlock'
        END AS Type
     INTO SecEvtLogonSuccesTime_Remote-WS.csv
     FROM \\%machine%\security
     WHERE EventID IN (528) AND SourceAddress IS NOT NULL GROUP
     BY User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
     ORDER BY TimeGenerated DESC


     Save this to a file
     ?SaveSecEvtLogonSuccesTime_Remote-WS.sql?  in the Log
     Parser directory.

     Run it from the command prompt in the Log Parser directory:
     logparser
     file:SecEvtLogonSuccesTime_Remote-WS.sql?machine=THEWORKSTATIONNAME

     It will output SecEvtLogonSuccesTime_Remote-WS.csv


     Microsoft Log Parser Toolkit:
     http://www.syngress.com/catalog/?pid=3110

     And

     Security Log Management: Identifying Patterns in the Chaos:
     http://www.syngress.com/catalog/?pid=3440


     If you need to know how to make it into a pretty HTML page
     with pie charts etc. the answers our in there.

     Additionally, you could come to the CyberCrime Summit:
     http://www.southeastcybercrimesummit.com/schedule/SCHEDULE.HTM

     I am giving 2 4-hour hands-on advanced Log Parser classes.


     Regards,

     Dave


     ______________________________________________________
     Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

     www.SecurityBreachResponse.com
      




          -----Original Message-----
          From: Nick Duda [mailto:nduda@VistaPrint.com]
          Sent: Thursday, January 19, 2006 09:56
          To: security-basics@securityfocus.com
          Subject: RE: Windows Log


          To continue this topic, I'm faced with the same thing....

          The problem is that with all these event id's 672, 673,
          540...etc there is still no positive way to say , when a
          user logged on (via cntrl,alt delete) and logged off, as
          in shutdown or log off.
          My goal, is to use syslog or some other form of monitoring
          to keep records of each employees logon/logoff of a PC
          physically on the network. I've been knee deep into all
          these event id's and nothing is accurate.
          Please help.





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Windows Log, dave kleiman
Next by Date:  stick a laptop to a LAN, Steven Meyer
Previous by Thread:  RE: Windows Log, dave kleiman
Next by Thread:  RE: Windows Log, Joe Quigley
Indexes:  [Date] [Thread] [Top] [All Lists]