Incident Response: Windows Account Logon and logon Events

A user when authenticates a Windows endpoint, then an Account Logon event will be generated and will be recorded. These account logon events will be recorded in the Security event log of the system which will be responsible for authentication of the user.

On accessing an account for a resource, a Logon event will be recorded. These logon events will be recorded in the Security event log of the system being accessed.

As an incident responder, if you spot account logon events on a machine other than the Domain Controller, it could be a sign of local user account usage.

Local user account usage is abnormal on domain environments and can indicate a compromise

Introduction
Logon Events
Account Logon Events
Event ID’s
- Event ID 4624
- Event ID 4625
- Event ID 4634
- Event ID 4647
- Event ID 4648
- Event ID 4672
Kerberos Authentication Protocol
- Event ID 4768
- Event ID 4769
- Event ID 4776
- Event ID 4778
- Event ID 4779

Introduction

A windows system has various authentication and logon methods to establish remote sessions between different systems over a network. In this article, we will be learning about different account logon events and authentication protocols like Kerberos.

The methods of Windows authentication range from a simple logon-based thing depending on the user’s knowledge like a password, tokens, public key certificates, and biometrics, etc.

An authentication protocol like Kerberos defines rules and conventions and serves the authentication of users, computers, and services. The process of authentication allows an authorized user and services and gives access to resources in a much secure way.

Logon Events

The Audit logon events are usually settings in the policy that records all attempts to log on to the local computer, whether by using a domain account or a local account. Audit Logon/Logoff events generate on the creation and destruction of logon sessions. These events occur on the machine that was accessed.

Account Logon

Account Logon policy setting generates events for any type of credential validation. These events occur on the machine that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative.

So, let’s see these event IDs one by one across the Windows server.

Event ID 4624

This event usually is generated for a successful logon. This event will contain information about the host and the name of the account involved. For remote logons, an incident responder should focus on the Network Information section of the event description for remote host information.

The fields Caller Process Name and Caller Process ID in the Process Information section of this event description provides more details about the process of initiating the logon.

When a user successfully logs on to a computer, this event will be generated.

Event ID 4625

This event is created on a failed logon attempt. Usually, these logs in a network may indicate password guessing attacks. The Network Information of this event can provide valuable information if a remote host is attempting to log on to the system.

As an incident responder, you can determine more about the reason for the failure by going through the description.

When a user has a failed login attempt on to a computer, this event will be generated.

Event ID 4634

When a user logs off from his system, it is recorded by Event ID 4634. If a system doesn’t show an event showing a logoff, you as an incident responder you should not be considered overly suspicious.

Event ID 4647

This event is usually triggered when no user-initiated activities no longer occur. This is different from event 4634, that is generally generated when a session no longer exists because of termination.

This event generates when a user logon is of remote type and the logoff was with some standard method.

Event ID 4648

A logon was attempted using explicit credentials. When a user attempts to use credentials that are of other than his, or if there is a user account control bypass to open a process with administrator permissions, this event is logged.

Event ID 4672

When a set of sensitive privileges are assigned to a new logon session, this event is generated for that particular new logon. This event is usually recorded in the event viewer as and when a single local system account logon triggers this event.

Kerberos Authentication Protocol

Kerberos is an authentication protocol that works on the basis of tickets that allows the nodes to communicate over a non-secure network to prove their identity to each other in a secure manner.

So, let us understand the basics of Kerberos and then go ahead with Kerberos authentication protocol and the proceed with the event logs.

Client: A user that requests communication service request.

Resource Server: The server with the service the user wants to access.

Authentication Sever: It performs client authentication, issues TGS on successful authentication.

Key Distribution Centre: Database, Authentication Server and Ticket Granting Server collectively is called Key Distribution Centre.

Ticket Granting Server: It is an application server that provides the issuing of service tickets as a service.

Event ID 4768

On successful issuance of a TGT, it will show that a user account was authenticated by the domain controller. The Keywords field would indicate whether the authentication attempt was successful or failed.

Event ID 4769

Once the client successfully receives a ticket-granting ticket from the KDC, it will store that TGT and send it to the TGS with the Service Principal Name (SPN) of the resource that the client wants to access. TGTs are valid for a certain period of time only.

Event ID 4776

When the computer logon is to be verified, this even is created. It contains additional information about the remote host in the event of a remote logon attempt. The Keywords field indicates whether the authentication attempt succeeded or failed

Event ID 4778

This event is created when a session is reconnected to a Windows station. If a user reconnects with an existing Terminal Services session, or switches to an existing desktop using Fast User Switching, event 4778 is generated. This event is also triggered when a user reconnects to a virtual host.

Event ID 4779

If a user disconnects from an existing Terminal Services session, or switches away from an existing desktop using Fast User Switching, this event is generated. This event is also created when a user disconnects from a virtual host.

You can also try out some other event ID’s from below.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here

Threat Hunting: Velociraptor for Endpoint Monitoring

A velociraptor is a tool for collecting host-based state information using Velocidex Query Language (VQL) queries.

To learn more about Velociraptor, read the documentation on https://www.velocidex.com/docs

Table of Content

Introduction to Velociraptor
Architecture
What is VQL
Prerequisites
Velociraptor Environment
Velociraptor installation
Addition of host
forensics investigation / Threat Hunting

Introduction to Velociraptor

Velociraptor is a free and open-source software project developed by the Velocidex Company. Velociraptor is generally based on GRR, OSQuery, and Google’s Rekall tools. Velociraptor allows users to collect Forensics Evidence, Threat Hunting, Monitoring artifacts, Executing remote triage process. As an open-source platform, Velociraptor continues to improve and evolve through inputs and feedback of digital forensics investigation and cybersecurity practitioner

Velociraptor natively works on Linux, Windows, and macOS. You can create or deploy a server within few minutes using SCCM or Group policy.

Architecture

Main components- all in one binary

Frontend

Receive connections from clients
Queue message to clients
Process Responses from clients (Flows)

GUI

Allow Scheduling Flows/Hunts
Inspect results from Flows/Hunts
View the client’s virtual file system

What is VQL

Velociraptor Query Language (VQL) is an expressive query language designed to adapt your requirements easily without doing any modifications in codes, Query, or artifacts nor deploying any additional software.

VQL encapsulates digital forensics expertise into human-readable files called ‘artifacts’ which can be shared and exchanged freely within the community.

Let’s begin

As shown in the above image there are a few agents like windows or Linux or cloud distros… these agents will point to TCP port 8000 while Digital forensics or cybersecurity experts will consult the web interface to TCP port 8889. The best part of this Architecture is if one of the computers leaves the office or another environment and operates from home or by any other place, it will be able to continue reporting to the server.

Prerequisites

To configure Velociraptor in your Windows Platform, there are some prerequisites required for installation.

Windows 10 with minimum 4gb Ram and 4 CPU cores
Admin privileges
CMD with admin Privilege

Velociraptor Environment

In this blog we will target to install Velociraptor on windows 10, to make it as real as possible, the installation can be carried out to a server in the cloud as shown in the image above. In this blog, I’m going to use windows 10 as a server. You can Download Velociraptor by following the below Link.

https://github.com/Velocidex/velociraptor/releases

Windows Version

To download the latest version of Velociraptor in a windows server, go to the official GitHub page by following the above link then locate and select the option velociraptor-v0.4.8-windows-amd64.msi or you can directly download by accessing the above .msi extension hyperlink.

Velociraptor installation

Let’s start deploying master server in windows And after the download complete what we can do now is to go to the download folder and just simply install it.

Here, windows will try to prevent this happening but once the installer is complete what we saw here is that under the program files have the Velociraptor folder.

now let’s open the command prompt with administrator privilege and navigate to

cd C:\Program Files\Velociraptor

1	cd C:\Program Files\Velociraptor

so now what we need to do is to generate the configuration to do this enter the below arguments into the CMD prompt

velociraptor.exe config generate -i

1	velociraptor.exe config generate -i

And we would like to generate the configuration for the Windows machine so select windows and then hit enter then next select FilebaseDatastore you can also go with the MySQL option but the MySQL option is suitable for the production environment and then next select the path of Velociraptor configuration is c:\window\Temp and then use Self-signed SSL we would like to leave everything on default but if you have different requirements you can make changes as per your own and at last we are not using any google domains so on that place type N and hit enter and enter till last to set options as default as shown In the image below.

Now you can check the configuration of your server by entering below argument

type server.config.yaml

1	type server.config.yaml

And as we can see what the configuration for our server is and it sets our frontend is listening to localhost port 8000 and the certificate directory and so on… basically it’s just a description what the configuration for our server.

Now, since we have this part done what we need to is to add user and we can do it with entering the below command

velociraptor.exe --config server.config.yaml user add vijay --role administrator

1	velociraptor.exe --config server.config.yaml user add vijay --role administrator

And we need to create the password to access the GUI interface

and what we can do now is to run our server so how we can run it…. To do this issue the following command

velociraptor.exe --config server.config.yaml frontend -v

1	velociraptor.exe --config server.config.yaml frontend -v

Here -v stands for verbose

By running the above argument a prompt screen opens on your screen that needs admin access to setting up the environment and then the setup continues.

Congratulations! Finally, you have setup Velociraptor in your windows machine. You can now access the Velociraptor GUI interface at your favourite browser by ping following URL

https://localhost:8889

And use your credentials to log in that you created at the time of installation.

After login into the interface, you’ll have your Velociraptor GUI dashboard

Here we can see the home page, which is about basically the load of the server, connected client’s users, and so on….and this is not all we can end to do….

Addition of Host

Currently, we have no clients connected to the server so let’s rectify that by opening a new terminal with admin privilege

And then follow the below arguments

cd C:\Program Files\Velociraptor
velociraptor.exe --config client.config.yaml client -v

1 2	cd C:\Program Files\Velociraptor velociraptor.exe --config client.config.yaml client -v

And the client Is connected and is going to enrol in the specific server based on the client config file so you could use the client config file with very little modifications to enrol your client to your existing master server if needed in the future.

And now what you see is that your client has successfully connected to the localhost and we have one client added into the master server.

Forensics Investigation / Threat Hunting

Now if you go back to the homepage you could be able to see your host by searching in the filter box.

And then you can see the host have a client id, hostname OS version, and so on….

And we could interrogate the host and we could check collected information and by default, some basic information is collected about clients.

So now what we can and should do is to try to figure out what’s inside this information by downloading it. As we can see a zip folder downloaded inside downloads after opening it you can see these files there that contain the host details.

Let’s check what’s inside these folders open it one by one and this part is gonna a little bit special but it’s not enough

Hold tight! 😊

Wow! It contains quite useful information

Let’s dig it deeper

So now we have the Hunt manager you can easily find it on your Dashboard

Hunt manager allows you to hunt for the specific events that happened to your client and also you can view specific artifacts and you could see the server events as well and you could check server artifacts on the dashboard console of Velociraptor

Let’s begin the Hunt

we need to create a hunt with specific artifacts To do this move your cursor to the “+” button and select it as shown below.

Chrome Hunting

Now the time has come for us to like spy on our user HaHaHa 😊 with the help of our clients if they are using chrome so we are going to check on which website or page they have visited recently unless they are not using incognito mode

To create new hunt in the search window start typing windows then select the artifacts that you want to hunt and add then select “Next”,

In my case, I’m selecting Chrome Cookies, Chrome Extensions, Chrome History you can select as much you want.

After selecting next it redirects you to next prompt when you need to Hunt Description and then select “Next”

Hunt conditions should be in “operating system” select it in the drop-down menu of Include Condition then select Target OS “Windows” and then hit “Next”

At next screen, you have your hunt Description or Artefact review if you do some modifications with the artifacts if needed otherwise leave it as default and then select option “Create Hunt”

Now we have created a new Hunt Named Chrome Hunting it reflects to your Hunts panel

And We would like to run this hunt by pressing the play button to see what’s next in the result…

And then a pop flash on your screen that wants your permission to proceed…

After proceeding it will take you to next screen where you have your hunt results you can select which results you want to see by drop down the Results tab

As we can see we have a history of chrome that the client used to visit on the chrome

Also, we can see chrome cookies by select It form Results dropdown

Let’s Begin some Forensics investigation

Will do it by adding some predefined windows artifacts here, I’m using

Attack.Prefetch
Collectors.File
Detection.ProcessMemory
EventLogs.AlternateLogon
Forensics.FilenameSearch

Enter the Hunt Parameters or Hunt Description

And at the next screen, we have our Hunt results…. For example, if you want to see “Windows.Attack.Prefetch” select It form Results dropdown

Same if you want to see “Windows.EvemtLogs.AlternateLogon” select it from result dropdown and hit enter….

Similarly, you can Dig it much Deeper by adding as many artifacts as you need

Hang tight this is not enough!

More will be discussed in part 2^nd.

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

Incident Response: Windows Account Management Event (Part 2)

For a system to perform well and ensure its maintenance, it is extremely important to monitor and manage events on a system. Event Logs are part of the Windows system, that are created by on a system and can be checked locally or remotely on regular intervals by an administrator or any user. These logs can then be imported and viewed in a SIEM tool to ensure efficient Incident Response.

Incident Response: Windows Account Management Event (Part 1)

Security Policy Settings
Advantage of security settings
Event Log
Account Management Events
Events in Windows Server 2016

Security Policy Settings

They are set of rules that an administrator uses to configure a computer or multiple devices for securing resources on a device or network. The Security Settings extension of the Local Group Policy Editor allows you to define a security configuration as part of a Group Policy Object (GPO).

The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization.

Advantage of Security Setting

User is authenticated in a network or device.
The defined resources that any user is permitted to access.
Whether to record a user’s or group’s actions in the event log.
Membership of a user in a group.

Event Log

The event logs usually keep a record of services from various sources and then stores them in a single place. Events logs can be of Security, System and Application event. As an incident responder, you should look for multiple sources of log information and should not forget to look at the older log files which may be present in backup systems or volume shadow copies.

When the Event logs are assessed, the Event ID have various field details with them;

Account Management Events

The Account Management is extremely important and these events can be used to track the maintenance of users, group, and computer objects in Local users and groups, Active Directory.

Account Management events can be used to track a new user account, any password resets, or any new members being added to groups or being deleted from the group.

The account management events can be categorised into different types: