1 / 26

Chapter 14: Other Audit Events

Chapter 14: Other Audit Events. Mastering Windows Network Forensics and Investigation. Chapter Topics:. Logging of Modifications to Groups, Accounts, Policies Object Access Logs. Changes to Accounts (Win XP). Event ID 624 records account creation

tanner-hickman
Download Presentation

Chapter 14: Other Audit Events

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 14: Other Audit Events Mastering Windows Network Forensics and Investigation

  2. Chapter Topics: • Logging of Modifications to Groups, Accounts, Policies • Object Access Logs

  3. Changes to Accounts (Win XP) • Event ID 624 records account creation • Event ID 642 records changes to existing accounts • Event ID 626 shows accounts being activated

  4. Changes to Accounts(Win Vista +) • Event ID 4720records account creation • Event ID 4738 records changes to existing accounts • Event ID 4722 shows accounts being activated

  5. Changes to Accounts(Win XP) • New Account Name is account being modified • Caller User Name is account causing action

  6. Changes to Accounts(Win Vista +) • New Account: Account Name is account being modified • Subject: Security ID is account causing action

  7. Changes to Accounts

  8. Changes to Accounts

  9. Changes to Groups • Changes to group membership are common ways to increase an attacker’s privilege level • These events generate logs with the Event ID based on the type of group

  10. Changes to Groups

  11. Changes to Groups(Win XP) • The account that is impacted (added or removed from a group) is called the Member ID • Group that is changed is called the Target Account Name • The account that initiated the change is called the Caller User Name

  12. Changes to Groups(Win Vista +) • The account that is impacted (added or removed from a group) is called the Member: Security ID • Group is the group that is changed • The account that initiated the change is called the Account Name

  13. Changes to Groups

  14. Changes to Audit Policy • Event ID 612 shows the end result of a change in audit policy

  15. Changes to Audit Policy • Event ID 4719 shows the end result of a change in audit policy

  16. Object Access • Objects include files, folders, printers, etc. • Auditing must be configured for each object • The object handle can be used to correlate related events in the event log

  17. Object Access(Win XP) • Event ID 560 records opening of handles • Event ID 562 records closing of handles • Event ID 567 shows which access permissions were actually used

  18. Object Access(Win Vista+) • Event ID 4656 records opening of handles • Event ID 4658 records closing of handles • Event ID 4657 shows which access permissions were actually used

  19. Object Access

  20. Object Access

  21. Object Access

  22. Object Access

  23. Object Access

  24. Object Access

  25. Object Access

  26. Object Access

More Related