Monday, April 20, 2009

Event Log Analysis

I caught a very interesting blog post on the ISC the other day that had to do with Windows Event Logs. In short, the post illustrates a failed logon attempt by "a worm that spread via MS08-067 (not conficker)". The event ID is 529 (failed logon attempt) and a type 3 logon attempt, indicating that the attempt is from the network.

I'd had an opportunity recently to do some timeline analysis, and I was seeing event ID 540, type 3 records immediately prior to the suspicious activity in question. These events are network-based logons, but the Logon Process and Authentication Package identified within the event record were both "Kerberos". I did some additional research in conjunction with the timeline analysis, as well as some testing, and found that successful network logons (event ID 540, type 3) with the Logon Process and Authentication Package of "Kerberos" indicate that the account successfully authenticated to the domain or Active Directory in order to access resources on the my case, the logon events were immediately followed by the use of PSExec, and were then accessing the Service Control Manager, etc.

On the other hand, however, testing illustrated that logon events with a Logon Process of NtLmSsp and an Authentication Package of NTLM were seen when accessing shares, such as C$. I didn't see any of these in my timeline.

Tracking Logon and Logoff Activity
MS KB 326985 (contains explanation of event record strings fields)
Fitz - Tracking User Logon Activity Using Logon Events
MS - Vista/2008 Security Events
MS - Events and Errors Message Center (Event Lookup)
MS - 2003 Security Events

No comments: