Follow-up on Registry key containing events to be audited

From: H C (keydet89@yahoo.com)
Date: 04/24/02 

Date: Wed, 24 Apr 2002 05:33:40 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: focus-ms@securityfocus.com

To all,

I wanted to follow-up on my original thread regarding
this issue. Several readers went to great lengths to
attempt to answer my original question, but it seems
that many of you simply read "EventLog" and "Registry"
and drew your own conclusions about what I was looking
for.

An MS employee responded with the fact that the
_events to be audited_ on 2K are stored in the LSA
secrets. When the system is turned off, this
information is stored in the HKLM\Security key of the
Registry.

Frank Heyne responded with this KB article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120

As you can see, this is *exactly* what I was looking
for, though the KB article says it applies to NT (and
it doesn't specify 2K - however, there seems to be a
direct correspondence).

The reason I was looking for this information was for
incident response/forensic purposes. As we all know,
Registry keys have a value associated with them called
"LastWrite". This is actually a FILETIME object,
which corresponds to the last time the key was
modified. I have a Perl script at:

http://patriot.net/~carvdawg/perl.html

that retrieves/displays this information (keytime.pl).
 Also, from screen captures I've seen, EnCase will
also display this value.

Therefore, by viewing this value, associated with this
key, an investigator can tie the time that the audit
policy was modified...for example, many web sites and
even "Hacking Exposed" show the use of auditpol.exe to
disable auditing (followed by the use of elsave.exe to
clear the EventLog). This could be useful/important
in tying (malicious) activity to a user.

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

Relevant Pages

  • Security Software
    ... as a follow-up to this issue I wanted to find out, ... security software for a work station? ... >>> suggested to contact Yahoo. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system -Frethem.K
    ... Thanks for the follow-up on the issue...such a thing ... > My guess is that these machines are previously ... to get yourself into trouble being paranoid. ... Do You Yahoo!? ...
    (Incidents)
  • Re: <<Need Formula For Lookup With 2 Variables>>
    ... Wife and I followed your instructions, ... >you have already received two answers to your original thread. ... always better to stay in the original thread and post a follow-up ...
    (microsoft.public.excel.worksheet.functions)
  • Re: error 8024402c
    ... Post any/all further follow-up in replies to your original thread: http://groups.google.com/group/microsoft.public.windowsupdate/browse_frm/thread/a97007c93754fda9 (where the original error was 0x80244019). ...
    (microsoft.public.windowsupdate)
  • Re: Hardware updatedownloads
    ... Are you planning on posting any follow-up to your original thread about the Windows Update issues? ... Jorge Bravo wrote: ...
    (microsoft.public.windowsxp.general)