Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Published byJonas Butler Modified over 8 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events

2 Chapter Topics: Logging of Modifications to Groups, Accounts, Policies Object Access Logs

3 Changes to Accounts (Win XP) Event ID 624 records account creation Event ID 642 records changes to existing accounts Event ID 626 shows accounts being activated

4 Changes to Accounts (Win Vista +) Event ID 4720records account creation Event ID 4738 records changes to existing accounts Event ID 4722 shows accounts being activated

5 Changes to Accounts (Win XP) New Account Name is account being modified Caller User Name is account causing action

6 Changes to Accounts (Win Vista +) New Account: Account Name is account being modified Subject: Security ID is account causing action

7 Changes to Accounts

8

9 Changes to Groups Changes to group membership are common ways to increase an attacker’s privilege level These events generate logs with the Event ID based on the type of group

10 Changes to Groups Vista + Event ID Win XP/2003 Event ID Action Indicated 4728632Member added to global security group 4729633Member removed from global security group 4732636Member added to local security group 4733637Member removed from local security group 4746650Member added to local distribution group 4747651Member removed from local distribution group 4751/4761655Member added to global distribution group 4752656Member removed from global distribution group 4756660Member added to universal security group 4757661Member removed from universal security group N/A665Member added to universal distribution group 4762666Member removed from universal distribution group

11 Changes to Groups (Win XP) The account that is impacted (added or removed from a group) is called the Member ID Group that is changed is called the Target Account Name The account that initiated the change is called the Caller User Name

12 Changes to Groups (Win Vista +) The account that is impacted (added or removed from a group) is called the Member: Security ID Group is the group that is changed The account that initiated the change is called the Account Name

13 Changes to Groups

14 Changes to Audit Policy Event ID 612 shows the end result of a change in audit policy

15 Changes to Audit Policy Event ID 4719 shows the end result of a change in audit policy

16 Object Access Objects include files, folders, printers, etc. Auditing must be configured for each object The object handle can be used to correlate related events in the event log

17 Object Access (Win XP) Event ID 560 records opening of handles Event ID 562 records closing of handles Event ID 567 shows which access permissions were actually used

18 Object Access (Win Vista+) Event ID 4656 records opening of handles Event ID 4658 records closing of handles Event ID 4657 shows which access permissions were actually used

19 Object Access

20

21

22

23

24

25

26

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.
Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.

Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
 Overview User Accounts Groups User Rights Permissions.

 Overview User Accounts Groups User Rights Permissions.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
Sentry Vista Compatible Release Availability – April 09’ Compatible with Vista and Win XP Sentry Windows 7 Compatible Release Availability – April ‘09.

Sentry Vista Compatible Release Availability – April 09’ Compatible with Vista and Win XP Sentry Windows 7 Compatible Release Availability – April ‘09.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Similar presentations

Ads by Google