RE: Windows2000 Security event logs
From: Roger A. Grimes (roger_at_banneretcs.com)
Date: 09/16/04
- Previous message: Roger A. Grimes: "RE: Detecting new Windows .jpeg exploit"
- Maybe in reply to: Dave Gonsalves: "Windows2000 Security event logs"
- Next in thread: Charles Otstot: "Re: Windows2000 Security event logs"
- Reply: Charles Otstot: "Re: Windows2000 Security event logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Sep 2004 13:43:16 -0400 To: "Dave Gonsalves" <davegon@gmail.com>, <security-basics@securityfocus.com>
Was the User Name: field really populated with the datum username or is
was it a really user account name?
-----Original Message-----
From: Dave Gonsalves [mailto:davegon@gmail.com]
Sent: Monday, September 13, 2004 1:29 PM
To: security-basics@securityfocus.com
Subject: Windows2000 Security event logs
Hi All,
Has anyone seen this type of Windows Security Event Log activity before?
This was found on multiple computers.... All within a 2 minute time
frame...same username and domain.
EVENT ID: 576
Special privileges assigned to new logon:
User Name: username
Domain:
Logon ID: (0x0,0x5F893A8)
Assigned: SeChangeNotifyPrivilege
EVENT ID: 540
Successful Network Logon:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
EVENT ID: 538
User Logoff:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
One of the computers provided a source IP address so I have checked the
computer of the user in question for root kits, trojans, ect. It is
fully patched and has AV up to date
thanks,
Dave
------------------------------------------------------------------------
--- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
- Previous message: Roger A. Grimes: "RE: Detecting new Windows .jpeg exploit"
- Maybe in reply to: Dave Gonsalves: "Windows2000 Security event logs"
- Next in thread: Charles Otstot: "Re: Windows2000 Security event logs"
- Reply: Charles Otstot: "Re: Windows2000 Security event logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
