Security Basics mailing list archives

RE: Windows Log

From: "dave kleiman" <dave () davekleiman com>
Date: Fri, 20 Jan 2006 20:23:31 -0500


There is no way to say when "employees logon/logoff of a PC physically on
the network" unless you are keeping a video log in correlation with a logon
log, that shows the user logging into the workstation.

If you would like to keep track of user-accounts and when that user-account
was utilized to logon the network you could do the following:

First of all you will want understand the Event Id's, and what each piece of
each event stands for.
For instance the Logon type on Logon failures:

2 'Interactive - Intended for users who will be interactively using the
machine, such as a user being logged on by a terminal server, remote shell,
or similar process.'
3 'Network - Intended for high performance servers to authenticate clear
text passwords. LogonUser does not cache credentials for this logon type.'
4 'Batch - Intended for batch servers, where processes may be executing on
behalf of a user without their direct intervention; or for higher
performance servers that process many clear-text authentication attempts at
a time, such as mail or web servers. LogonUser does not cache credentials
for this logon type.'
5 'Service - Indicates a service-type logon. The account provided must have
the service privilege enabled.'
6 'Proxy - Indicates a proxy-type logon.'
ETC. ETC.


Two good resources for this are:
http://www.microsoft.com/technet/support/ee/ee_advanced.aspx

and

http://www.microsoft.com/downloads/details.aspx?familyid=95A85136-F08F-4B20-
942F-DC9CE56BCD1A&displaylang=en

Now if you want to find out when a workstation was utilized to logon the
domain, you would correlate the workstations log with the DC log.  First
make sure the auditing is on both the workstation and the DC.

You should start by downloading MicrosoftR Log Parser:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-
91b2-f8d975cf8c07&displaylang=en

Secondly, you might benefit form buying the Microsoft Log Parser Toolkit
book as it covers much of this:
http://www.syngress.com/catalog/?pid=3110


Now we can make a script or 2 and retrieve the information you want.


SELECT
        TimeGenerated AS TimeGenerated,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
        CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
                WHEN 2 THEN  '2=Interactive'
                WHEN 3 THEN  '3=Network'
                WHEN 4 THEN  '4=Batch'
                WHEN 5 THEN  '5=Service'
                WHEN 6 THEN  '6=Proxy'
                WHEN 7 THEN  '7=Unlock'
                WHEN 8 THEN  '8=NetworkCleartext'
                WHEN 9 THEN  '9=NewCredentials'
                WHEN 10 THEN '10=RemoteInteractive'
                WHEN 11 THEN '11=CachedInteractive'
                WHEN 13 THEN '13=CachedRemoteInteractive'
                WHEN 14 THEN '14=CachedUnlock'
        END AS Type
INTO SecEvtLogonSuccesTime.csv
FROM security
WHERE EventID IN (540) AND SourceAddress IS NOT NULL GROUP BY
User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
ORDER BY TimeGenerated DESC


Save this to a file "SecEvtLogonSuccesTime.sql"  in the Log Parser
directory.
Run it from the command prompt in the Log Parser directory:
logparser file:SecEvtLogonSuccesTime.sql

It will output SecEvtLogonSuccesTime.csv Now you all the logons form the DC.

By the way if you look in the event log, the successful logons from network
workstation authenticating to the DC, you will see a 576 followed
immediately by a 540.


Now a script for pulling the logons from the workstations to correlate your
data.
Here you will see a 576 followed immediately by a 528.



SELECT
        TimeGenerated AS TimeGenerated,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,13,'|')) AS SourceAddress,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,0,'|')) AS User,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,6,'|')) AS WorkStation,
        TO_LOWERCASE(EXTRACT_TOKEN(Strings,9,'|')) AS CallerDomain,
        CASE TO_INT(EXTRACT_TOKEN(Strings,3,'|'))
                WHEN 2 THEN  '2=Interactive'
                WHEN 3 THEN  '3=Network'
                WHEN 4 THEN  '4=Batch'
                WHEN 5 THEN  '5=Service'
                WHEN 6 THEN  '6=Proxy'
                WHEN 7 THEN  '7=Unlock'
                WHEN 8 THEN  '8=NetworkCleartext'
                WHEN 9 THEN  '9=NewCredentials'
                WHEN 10 THEN '10=RemoteInteractive'
                WHEN 11 THEN '11=CachedInteractive'
                WHEN 13 THEN '13=CachedRemoteInteractive'
                WHEN 14 THEN '14=CachedUnlock'
        END AS Type
INTO SecEvtLogonSuccesTime_Remote-WS.csv
FROM \\%machine%\security
WHERE EventID IN (528) AND SourceAddress IS NOT NULL GROUP BY
User,SourceAddress,CallerDomain,WorkStation,TimeGenerated,Type
ORDER BY TimeGenerated DESC


Save this to a file "SaveSecEvtLogonSuccesTime_Remote-WS.sql"  in the Log
Parser directory.

Run it from the command prompt in the Log Parser directory:
logparser
file:SecEvtLogonSuccesTime_Remote-WS.sql?machine=THEWORKSTATIONNAME

It will output SecEvtLogonSuccesTime_Remote-WS.csv


Microsoft Log Parser Toolkit:
http://www.syngress.com/catalog/?pid=3110

And

Security Log Management: Identifying Patterns in the Chaos:
http://www.syngress.com/catalog/?pid=3440


If you need to know how to make it into a pretty HTML page with pie charts
etc. the answers are in there.

Additionally, you could come to the CyberCrime Summit:
http://www.southeastcybercrimesummit.com/schedule/SCHEDULE.HTM

I am giving 2 4-hour hands-on advanced Log Parser classes.


Regards,

Dave



______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

www.SecurityBreachResponse.com

     -----Original Message-----
     From: Ramsdell, Scott [mailto:sramsdell () stinsonmoheck com]
     Sent: Friday, January 20, 2006 13:28
     To: Nick Duda; security-basics () securityfocus com
     Subject: RE: Windows Log

     Nick,

     EventIDs and LogonTypes generated for different types of
     successful logons:

     1.  Interactive console logons (at the keyboard, or
     through KVM) generate EventID 528 and LogonType 2.  This
     is recorded on the local workstation or server.

     2.  Interactive logons resuming from a password protected
     screen saver generate EventID 528 and LogonType 7.  This
     is also recorded on the local box.

     3.  Logging off generates EventID 538 with LogonType 2 or
     7 depending on if the user logged out of Windows (2) or
     the screen saver came on (7).

     4.  Users logging into the domain generate EventID 540
     LogonType 3 on the domain controller.  This indicates a
     successful logon across the network to a shared resource
     such as the SYSVOL and netlogon shares to process GPOs and
     read scripts.

     5.  Users logging out of the domain disconnect from SYSVOL
     and netlogon, so this generates EventID 538 LogonType 3 on the DC.

     LogonType 2 = interactive (keyboard or KVM) LogonType 3 =
     across the network LogonType 7 = screen saver

     VBScript can query machines for those events using WMI.
     For what you want, you will have to query each of your DCs
     for EventID 540 LogonType 3 events.

     Alternatively, in an AD environment you can monitor logon
     and logoff through GPOs.  Simply write a script that dumps
     username, workstation and time to a centrally located
     repository.  Then assign that script in a GPO under "User
     Configuration\Windows Settings\Scripts\Logon" and "User
     Configuration\Windows Settings\Scripts\Logoff".

     As "List Spam" points out below, you don't want to limit
     the logging your DC collects, you might need it for
     something else.  Simply query for what you need, or dump
     what you need.

     Regards,
     Scott




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Current thread:

Windows Log Rod (Jan 16)
- Re: Windows Log Ivan . (Jan 17)
- Re: Windows Log List Spam (Jan 17)
- Re: Windows Log Neil (Jan 17)
- <Possible follow-ups>
- Re: Windows Log hackman (Jan 17)
- RE: Windows Log Nick Duda (Jan 19)
- RE: Windows Log Ramsdell, Scott (Jan 20)
  - RE: Windows Log dave kleiman (Jan 23)
- RE: Windows Log Nick Duda (Jan 20)
- Re: Windows Log List Spam (Jan 22)
- Re: Windows Log Ryan Cummings (Jan 22)
  - Re: Windows Log Philippe De Ryck (Jan 23)
- RE: Windows Log dave kleiman (Jan 22)
- RE: Windows Log dave kleiman (Jan 22)
- RE: Windows Log Joe Quigley (Jan 22)
- RE: Windows Log Ramsdell, Scott (Jan 24)
- RE: Windows Log Meredith, Charles (HRD) (Jan 24)
  - RE: Windows Log dave kleiman (Jan 26)
(Thread continues...)