RE: Win2k Audit Logs - What happened here?
From: george.wasgatt@insurity.com
Date: 12/16/02
- Previous message: Damian Gerow: "Re: Rooted, .haos on system"
- Maybe in reply to: Johnny Walker: "Win2k Audit Logs - What happened here?"
- Next in thread: H C: "Re: Win2k Audit Logs - What happened here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: george.wasgatt@insurity.com To: johnny_mamak@yahoo.com, incidents@securityfocus.com Date: Mon, 16 Dec 2002 14:19:17 -0500
Two possibilities come to mind:
1 - the user did a search on the tree for a file
2 - the user did a DIR on the tree with subdirectory (i.e. dir /s)
-----Original Message-----
From: Johnny Walker [mailto:johnny_mamak@yahoo.com]
Sent: Sunday, December 15, 2002 9:51 PM
To: incidents@securityfocus.com
Subject: Win2k Audit Logs - What happened here?
Hi all,
We turned on windows 2000 auditing for a particular
user on our file server(SERVER1) and found a very
interesting audit events, but we don't know what
action actually trigered all the events. We noticed
that a folder (Group1) and all of its subfolders has
been accessed within a 3 econds. Yes just within a few
seconds. We though the user(user2) might has been
browsing through the folders and subfolders, but it
just sound impossible to browser all the folders in
less than 3 seconds !!. We also though of the user
(user2) might have copy the whole folders and paste it
some where... This will sound more logic to do in 3
seconds...
So, what you guyz think? .
Below is part of the logs..
Full logs can be retrived here:
http://www.geocities.com/johnny_mamak/audit1.zip
BTW, What we do is we turned on ALL the audit
features(yes, ALL) that available for that particular
folder, thats why the logs is so many for one event...
Really appreciate if you guyz can help me out here..
Thank you.
--- Part of the logs
-----------------------------------
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
\Advantis\KSM
New Handle ID: 1432
Operation ID: {0,98849004}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadAttributes
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
\Advantis\Bintang
New Handle ID: 1432
Operation ID: {0,98848990}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadData (or ListDirectory)
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
\Advantis\Bintang
New Handle ID: 1432
Operation ID: {0,98848985}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadAttributes
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
\Advantis
New Handle ID: 1432
Operation ID: {0,98848972}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadData (or ListDirectory)
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
\Advantis
New Handle ID: 1432
Operation ID: {0,98848967}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadAttributes
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
New Handle ID: 1432
Operation ID: {0,98848954}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadData (or ListDirectory)
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
New Handle ID: 1432
Operation ID: {0,98848949}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadAttributes
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1
New Handle ID: 1432
Operation ID: {0,98848936}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadData (or ListDirectory)
Privileges -
"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed:
" Object Server: Security"
" Handle ID: 1432"
" Process ID: 8"
12/11/2002 11:07:10 AM Security Success Audit Object
Access 560 ANGEL\User2 SERVER1 "Object Open:
Object Server: Security
Object Type: File
Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1
New Handle ID: 1432
Operation ID: {0,98848931}
Process ID: 8
Primary User Name: SERVER1$
Primary Domain: ANGEL
Primary Logon ID: (0x0,0x3E7)
Client User Name: User2
Client Domain: ANGEL
Client Logon ID: (0x0,0x5E44E8A)
Accesses ReadAttributes
Privileges -
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
- Previous message: Damian Gerow: "Re: Rooted, .haos on system"
- Maybe in reply to: Johnny Walker: "Win2k Audit Logs - What happened here?"
- Next in thread: H C: "Re: Win2k Audit Logs - What happened here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
