This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Login Out Of Working Hours

Go to solution
YossiNagar
Beginner
Beginner

‎2017-07-10 10:09 AM

Hi,

 

I was asked to find some activities out of working hours on the company workstations.

While srarching for events, i didn't really managed to find the actual interactive login attempt, i was looking for logon types like '2', '7' and '10' but all those looks like a 'krbtgt' processes.

 

Can anyone please direct me to the actual log that points on the interactive login? Or even to show me from the logs that you have how its looks like. I want to be sure that i'll show the correct log to the managers.

 

Thanks in advance,

Yossi.

Labels:
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to YossiNagar

‎2017-07-11 12:20 PM

Yossi,

 

On the DC you will see Type "3" logons with 4624 and 4634 when a user logs onto a workstation/server that is not the DC you are examining.  When the Windows Service Manager initiates the logon it will be a type "5", typically these are the accounts that are setup to logon as a service on the system.  The Kerberos ticket requests and preauthentication are different Event IDs, typically "4768" and "4776" are what I see associated to a successful logon.

 

Here is a simple example of 4624 events recorded on a successful interactive logon:

User Logs on to WS1 using keyboard.

Event recorded on WS1 is 4624 type 2   ---> Windows DC--> Event recorded on DC is 4624 Type 3

 

If you want to see if the  user has done an "interactive logon" (user typing on the keyboard) you will look for the logon types of 2, 7, 10 and 11.  The user has to be present on the keyboard to generate this type of logon.  However, the type 2, 7, 10 and 11 will only be generated on the system that the user is interacting with, not the DC, unless the user is logging directly onto the DC to perform some administrative task.

 

The table defining the logon types can be referenced in the 4624 Event ID page below.

Windows 4624

 

Also here is a list of All Microsoft Audit Events with sample events.

Window Audit Events List Download

 

Leonard

View solution in original post

5 REPLIES 5

Go to solution
Anonymous
Not applicable

‎2017-07-10 10:42 AM

Yossi,

 

The events associated with a logon to a system will be EventID 4624 and 4634.  There are other events related to kerberos ticketing but 4624 is the one you are looking for that involves the user interactively logging in to a system.  The event 4634 "logoff" is the teardown of the 4624 "logon" session.  The user did not actually "logoff".  You will usually see these together with the 4624 "logon", then the 4634 "logoff".  Also don't forget about type "9" logons (Run as different user) and keep in mind that the 4624 will only appear on the workstation/server that the logon is occuring.  If you are only looking at the DC logs, you will only see the kerberos ticket exchange events for that workstation and a very noisy Type "3" logon event, if I remember correctly.

 

Microsoft Websites:

Windows 4624

Windows 4634

 

Leonard

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-07-10 10:57 AM

Here are two logon samples.  One is interactive and one is RDP

 

 

RDP-->


Jul 10 10:33:30 DoorsNet-PC.dsnetworking.com MSWinEventLog,1,Security,42,Mon Jul 10 10:33:28 2017,4624,Microsoft-Windows-Security-Auditing,DSNETWORKING\bob,N/A,Success Audit,DoorsNet-PC.dsnetworking.com,Logon,,An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DOORSNET-PC$ Account Domain: DSNETWORKING Logon ID: 0x3e7 Logon Type: 10 New Logon: Security ID: S-1-5-21-3503856368-219885682-1402935654-1112 Account Name: bob Account Domain: DSNETWORKING Logon ID: 0x249701c8 Logon GUID: {996695CF-66EA-4413-E4D2-D7618C90572D} Process Information: Process ID: 0x16d8 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: DOORSNET-PC Source Network Address: 192.168.31.251 Source Port: 58108 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed.

 

 

 

Interactive -->

 

%NICWIN-4-Security_4624_Microsoft-Windows-Security-Auditing: Security,rn=20658589 cid=0x00003100 eid=0x00001210,Mon Jul 10 10:25:08 2017,4624,Microsoft-Windows-Security-Auditing,None,Success Audit,nas.dsnetworking.com,Logon,,An account was successfully logged on. Subject: Security ID: NT AUTHORITY/SYSTEM Account Name: NAS$ Account Domain: DSNETWORKING Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: DSNETWORKING/bob Account Name: bob Account Domain: DSNETWORKING Logon ID: 0x2ccd9be1 Logon GUID: {2D2ED18A-6BAE-4956-0FD6-374D3F98826F} Process Information: Process ID: 0x1b8 Process Name: C:\Windows\System32\winlogon.exe

One was generated using winrm and one using snare

Go to solution
YossiNagar
Beginner
Beginner

‎2017-07-11 02:53 AM

Thanks guys for the replys.

 

@Leonard, when i look for the '4624' Referece ID, i got just a logins related to Service Accounts. As i remember, there is a different between service login and user login.

Also, as you mention, i have tons of Type '3' logins since i'm quering the DC servers. How can i be sure i'm seperating between the Kerberos and the user activity?

 

@Dave, thanks for the samples. It's helped me to compare with my logs.

 

Anyway, I think that if i'll see any Type '2' or '10' out of working hours, it'll be good indicator for user activity.. am i right?

0 Likes

Go to solution
Anonymous
Not applicable
In response to YossiNagar

‎2017-07-11 12:20 PM

Yossi,

 

On the DC you will see Type "3" logons with 4624 and 4634 when a user logs onto a workstation/server that is not the DC you are examining.  When the Windows Service Manager initiates the logon it will be a type "5", typically these are the accounts that are setup to logon as a service on the system.  The Kerberos ticket requests and preauthentication are different Event IDs, typically "4768" and "4776" are what I see associated to a successful logon.

 

Here is a simple example of 4624 events recorded on a successful interactive logon:

User Logs on to WS1 using keyboard.

Event recorded on WS1 is 4624 type 2   ---> Windows DC--> Event recorded on DC is 4624 Type 3

 

If you want to see if the  user has done an "interactive logon" (user typing on the keyboard) you will look for the logon types of 2, 7, 10 and 11.  The user has to be present on the keyboard to generate this type of logon.  However, the type 2, 7, 10 and 11 will only be generated on the system that the user is interacting with, not the DC, unless the user is logging directly onto the DC to perform some administrative task.

 

The table defining the logon types can be referenced in the 4624 Event ID page below.

Windows 4624

 

Also here is a list of All Microsoft Audit Events with sample events.

Window Audit Events List Download

 

Leonard

Go to solution
YossiNagar
Beginner
Beginner
In response to Anonymous

‎2017-07-12 04:59 AM

The best explanation I got so far!

Thank you very much Leonard

 

I'll use the links for future investigations, thanks for that.

 

Much appreciate,

Yossi.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.