Computers, Programming, Technology, Music, Literature

Archive for the ‘forensics’ Category

Event Viewer – Filtering user events for forensics and audits

leave a comment »

 

This article was originally published for www.prowareness.com and could be located at Event Viewer – Filtering user events for forensics and audits

 

Skip the story

Let’s say you are tracking down some user, or trying to find users that logged in to a common Windows workstation at a timeline. Sounds downright easy with Event Viewer right? Create a custom view or filter the current view of the the Windows Logs\Security events, type in the user account in the User: textbox, and you should be done. But it does not work because it is not supposed to work by design.

be03e3e4d7818819e46541451caa9157

Fig: 1

When the event viewer generates a query for the filter that we created to query a particular users activity, it actually associates the SID of that user to the actual query, and returns you 0 events.

368794d492cb419fced33fd843618aef

Fig: 2

Why did it return 0 events? It is ok, that the user name that was typed in to the User: textbox got converted to the SID. But shouldn’t it have listed activities for that user? However, if you go the Windows Logs\Security (without any filters), you’d wonder that there are actually many events logged for the user name (Account Name: ) that you want to filter (ma is the user name in the sample).

8dbb467a192f626642ec8a51ec0d12e8

Fig: 3

Picking a particular event, if you click Details to view the same event in xml or friendly view, ma (the user we want to query) is actually the TargetUserName w.r.t the event viewer database, and the TargetUserSid is the Sid associated to the user ma.

7afcc382abf7d35bd00b9eff27d63e37

Fig: 4

3f71a4f2caf077fbf10c9dde43873458

Fig: 5

Let’s pause for a moment and think back, If the SID for the user is called as TargetUserSid in the Details view, shouldn’t the Query that Event Viewer generated in Fig 2 actually be TargetUserSid instead of UserID.

 

That is,

 

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@TargetUserSid='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 
  </Query> 
</QueryList>

 

instead of

 

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@UserID='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 
  </Query> 
</QueryList>

 

May be I am misunderstood, may be I do not understand the Event Viewer terminologies. I don’t know. All we expect is when we type the User: we want to filter the logs for, let the event viewer do it’s own queries and it’s conversions, I’d like to see the logs for that particular user. Since that does not work as expected, how do we actually see the Security logs for a user?

 

Use the below xml when you create the custom filter or when you try to filter the an existing log path. Remember it is the subjectUsername in the xml query.

 

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='ma']]</Select> 
  </Query> 
</QueryList>

 

If there is an easy way, let me know.

Also, below is a table of logon events and logon types explained by their code. The list below is derived from a SANS poster named SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. I lost the hyperlink of that poster, but a more descriptive is list could be found at –

http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

 

Logon Type

Explanation

 

2

Logon via console

3

Network Logon

4

Batch Logon

5

Windows Service Logon

7

Credentials used to unlock screen

8

Network logon sending credentials (cleartext) 

9

Different credentials used than logged on user

10

Remote interactive logon (RDP)

11

Cached credentials used to logon

 

Event ID

XP / Win 7

Explanation

 

528 / 4624

Successful Logon

529 / 4625

Failed Logon

538 / 4634

Successful Logoff 

540 / 4624

Successful Network Logon

Advertisements

Written by gmaran23

July 4, 2014 at 8:41 pm