1 / 29

Event Filtering and Searching with XPath and PowerShell

Event Filtering and Searching with XPath and PowerShell. SCOM ACS bohu žel nebude, zato bude víc ostatního. Ing. Ond řej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com. Auditing (2000+).

muniya
Download Presentation

Event Filtering and Searching with XPath and PowerShell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Event Filtering and Searching with XPath and PowerShell SCOM ACS bohužel nebude, zato bude víc ostatního Ing. Ondřej Ševeček MCSM:Directory| MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com

  2. Auditing (2000+)

  3. Granular auditing (2008/Vista+)

  4. Eventviewer

  5. Eventviewer

  6. Eventviewer

  7. Eventviewer and XML

  8. XPath • XML "searching" language • Quick examples //State[@code='CZ'] //State[population>20] /States/State[starts-with(display, 'C') and @continent='NAM'] //State[position()=3] /States/*[starts-with(display, 'C')] //display[starts-with(., 'C')] //display[starts-with(text(), 'C')]

  9. XPath • Event viewer must replace < with &lt; or > with &gt; must replace <= with &lt;= can use only position(), Band() and timediff() today: TimeCreated[timediff(@SystemTime) &lt;= 86400000]] • WEVTUTIL normal operators >, >=, <=, != …

  10. Logon auditing • Account Logon Event • "authentication event" • when an account database validates credentials • Logon Event • "session event" • every time an Access Token is created or closed

  11. NTLM and Schannelnetwork logon App Traffic Client 2000+ Server2000+ In-band NTLM hash SMB D/COM Pass-through NTLM hash D/COM Dynamic TCP DC2000+ DC2000+

  12. Kerberos network logon (basic principle) App Traffic Client 2000+ Server2000+ In-band TGS: Server Kerberos TGT: User TGS: Server DC2000+

  13. Auditing (Interactive Logon) SQL FS WFE 2 Logon Client 1 Account Logon DC

  14. Logon types

  15. Status codes

  16. Download err.exe • version 2008 • http://www.microsoft.com/en-us/download/details.aspx?id=985 • most up-to-date version • SDK for Windows 8.1 • http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx

  17. Auditing (Network session) 2 Logon SQL FS WFE Client 1 Account Logon DC

  18. Auditing (Interactive logoff) SQL FS WFE 1 Logoff Client immediately at logoff DC

  19. Auditing (Network session) 1 Logoff SQL FS WFE when TCP connection closed Client DC

  20. PowerShell notes • Get-WmiObject -Computer -Query • EventCode, InsertionStrings

  21. Timestamps in LDAP • pwdLastSet • lastLogon • non-replicated • lastLogonTimestamp • lockoutTime • badPasswordTime • non-replicated • accountExpires

  22. Logon timestamps lastLogon 9:00 DC lastLogon 11:38 DC Client lastLogon - DC

  23. Logon timestamps (2003 DFL) lastLogon 9:00 DC lastLogonTimestamp 11:00 lastLogon 11:38 DC Client lastLogonTimestamp 11:00 lastLogon - DC lastLogonTimestamp 11:00

  24. lastLogonTimestamp • Requires 2003 domain functional level • Updated only once per 14-random(5) days • DC=idtt,DC=local • msDS-LogonTimeSyncInterval • 1+ – minimum without randomization • 5+ – randomization starts • 14 – the default • ...

  25. Authentication failures pwd1 pwd2 DC Client pwd2 PDC pwd2 DC

  26. Authentication failures badPasswordCount 7 PDC badPasswordCount 2 DC lockoutTime badPasswordCount 3 DC Client badPasswordCount 2 DC

  27. Searching in LDAP • (name=m*) • (&(name=m*)(c=cz)) • (|(c=cz)(c=de)) • (!c=cz) • (whenCreated>=20080323205258.0+1200) • (whenCreated>=20080323205258.0Z) • (pwdLastSet>=128962296000000000) • (userAccountControl:1.2.840.113556.1.4.803:=2)

  28. Powershell and DateTime • get-date • [DateTime]::Parse("2011-05-28") • (get-date).AddDays(-50) • ((get-date) –[DateTime]::Parse("1601-01-01")).Ticks • ([DateTime]::Parse("2010-11-28") – [DateTime]::Parse("1601-01-01")).Ticks • ((get-date).AddDays(-50) – [DateTime]::Parse("1601-01-01")).Ticks

  29. Kurzy Počítačové školy Gopas na www.gopas.cz GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník. Počítačová škola Gopas – Vaše IT škola života

More Related