Re: Windows2000 Security event logs
From: Charles Otstot (charles.otstot_at_ncmail.net)
Date: 09/17/04
- Previous message: Kelly Martin: "Lost mail on security-basics today"
- In reply to: Roger A. Grimes: "RE: Windows2000 Security event logs"
- Next in thread: Robert McIntyre: "Re: Windows2000 Security event logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Sep 2004 08:27:50 -0400 To: Dave Gonsalves <davegon@gmail.com>, security-basics@securityfocus.com
Expanding on Roger's question....
Assuming the User Name: field is populated with a user account name, is
it a valid, proper account (i.e an account that should exist and should
be accessible)? Would that user have any reason to perform any tasks
against remote systems (e.g. MBSA)?
Could your organization have an application that has embedded
credentials somewhere?
Was the access a one-time occurrence or recurring?
If recurring, have you asked the account owner to change his/her
password. Assuming "Yes", what were the results?
If changing the password did not result in failures, have you looked to
the account owner to provide an explanation of the activity (and the
activity could well be legitimate on his/her part)?
Do you have any sort of services (e.g. monitoring services) running
under an account name which run against remote systems on a timed basis?
Assuming that the number of systems involved is sufficiently large, I
would expect some sort of automated access mechanism , such as monitors,
to be the source mechanism.
Have you ruled out non-nefarious activity as the source? Oftentimes
Windows Security Log logon events get mislabeled as malicious activity,
when in fact, the noted behavior is the result of normal activity. If
not, what normal activities have you investigated that might result in
this behavior?
While I wouldn't rule out something malicious, unless you've eliminated
non-malicious sources, the only thing really suspicious about the log
entries as cited and described is the notation that they were observed
on multiple computers in a short timespan. Even that is easily
explainable, depending upon your organization's circumstances. In this
case, it might be useful to consider (and eliminate) legitimate sources
before looking too deeply for malicious sources.
Charlie
Roger A. Grimes wrote:
>Was the User Name: field really populated with the datum username or is
>was it a really user account name?
>
>-----Original Message-----
>From: Dave Gonsalves [mailto:davegon@gmail.com]
>Sent: Monday, September 13, 2004 1:29 PM
>To: security-basics@securityfocus.com
>Subject: Windows2000 Security event logs
>
>Hi All,
>
>Has anyone seen this type of Windows Security Event Log activity before?
>This was found on multiple computers.... All within a 2 minute time
>frame...same username and domain.
>
>EVENT ID: 576
>Special privileges assigned to new logon:
>User Name: username
>Domain:
>Logon ID: (0x0,0x5F893A8)
>Assigned: SeChangeNotifyPrivilege
>
>EVENT ID: 540
>Successful Network Logon:
>User Name: username
>Domain: DOMAIN
>Logon ID: (0x0,0x5F893A8)
>Logon Type: 3
>Logon Process: Kerberos
>Authentication Package: Kerberos
>Workstation Name:
>
>EVENT ID: 538
>User Logoff:
>User Name: username
>Domain: DOMAIN
>Logon ID: (0x0,0x5F893A8)
>Logon Type: 3
>
>One of the computers provided a source IP address so I have checked the
>computer of the user in question for root kits, trojans, ect. It is
>fully patched and has AV up to date
>
>thanks,
>Dave
>
>------------------------------------------------------------------------
>---
>Computer Forensics Training at the InfoSec Institute. All of our class
>sizes are guaranteed to be 12 students or less to facilitate one-on-one
>interaction with one of our expert instructors. Gain the in-demand
>skills of a certified computer examiner, learn to recover trace data
>left behind by fraud, theft, and cybercrime perpetrators. Discover the
>source of computer crime and abuse so that it never happens again.
>
>http://www.infosecinstitute.com/courses/computer_forensics_training.html
>------------------------------------------------------------------------
>----
>
>
>
>
>---------------------------------------------------------------------------
>Computer Forensics Training at the InfoSec Institute. All of our class sizes
>are guaranteed to be 12 students or less to facilitate one-on-one
>interaction with one of our expert instructors. Gain the in-demand skills of
>a certified computer examiner, learn to recover trace data left behind by
>fraud, theft, and cybercrime perpetrators. Discover the source of computer
>crime and abuse so that it never happens again.
>
>http://www.infosecinstitute.com/courses/computer_forensics_training.html
>----------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
- Previous message: Kelly Martin: "Lost mail on security-basics today"
- In reply to: Roger A. Grimes: "RE: Windows2000 Security event logs"
- Next in thread: Robert McIntyre: "Re: Windows2000 Security event logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
