# Network Security project 1 > [name=呂柏勳 0856130] 以HackMD製作，HackMD模式瀏覽網址如下 https://hackmd.io/@OeniLu/S1PBGUOO8 [TOC] ## environment OS: Windows_10_1909_Education_64bit Software: * eventviwer ^[1]^ ^[2]^ 使用windows中的eventviwer * Sysmon * USBLogView ## b : Logon Fail >Sign in to your computer with wrong password ### Log information event id: 4625  Subject:^[4]^ * `Security ID` : SYSTEM * SID of account that reported information about logon failure. * Each account has a unique SID that is issued by an authority * Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. * `Account Name` : DESKTOP-IG1J4FR$ * the name of the account that reported information about logon failure. * `Account Domain` : WORKGROUP * subject’s domain or computer name. Formats vary, and include the following: * Domain NETBIOS name example: CONTOSO * Lowercase full domain name: contoso.local * Uppercase full domain name: CONTOSO.LOCAL * For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. * ==For local user accounts==, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. * `Logon ID` : 0x3E7 * `Logon type`： 2 * 登錄類型，共有9種type * 常見的有logon type 2 (interactive) ， logon type 3 (network). * 任何超過5的logon type 都是危險的^[1]^  Account For Which Logon Failed: * `Security ID` : NULL SID * A valid account was not identified[^[2]^] * `Account Name` : Lupohsun * `Account Domain` : DESKTOP-IG1J4FR Failure Information: * `Failure Reason` : Unknown user name or bad password. * `Status` : 0XC000006D ^[4]^ * This is either due to a bad username or authentication information * `Sub Status` : 0xC000006A * user name is correct but the password is wrong  Process Information: * `Caller Process ID` : 0x108 * hexadecimal Process ID of the process that attempted the logon. * `Caller Process Name` : C:\Windows\System32\svchost.exe * Svchost.exe是微軟的視窗作業系統裡專門用來執行DLL程式的前導程式。^[3]^ * 它正確的位置應該位於作業系統盤根目錄的\Windows\system32目錄下（64位元系統則亦在系統磁碟根目錄的\Windows\SysWOW64）。 * ==如果在其他地方看到，那麼很可能是病毒程式==。 Network Information: * `Workstation Name` : DESKTOP-IG1J4FR * The authentication request is being submitted by or via the domain controller itself. * `Source Network Address` : 127.0.0.1 * IP address of machine from which logon attempt was performed. * 127.0.0.1 是 本機伺服器 * `Source Port` : 0 Detailed Authentication Information: * `Logon Process` : User32 * `Authentication Package` : Negotiate * `Transited Services`: - * `Package Name (NTLM only)` : - * `Key Length` : 0 --- Event description: This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. --- * `Log Name` : Security * 此Log的名稱為Security * `Source` : Microsoft Windows security * 此Log的來源 * `Event ID` : 4625 * Event ID 為每個事件已定義好的ID * `Level` : Information * 等級為information 更高的為Woring及Error * `User` : N/A * `OpCode` : info * The rendered message string of the opcode specified in the event. * `Logged` : 4/20/2020 2:32:27 PM * 此log產生於此時(Log fail的時間) * `Task Categoary` : Logon * 此log分類在Logon中 * `Keywords` : Audit Failure * `Computer` : DESKTOP-IG1J4FR * 此電腦名稱  ### Method 1. 設置帳戶密碼  2. Change Audit Logon Properties a. 於開始工具列找到Edit group policy  b. 將Audit Logon Properties中的Configure the folling audit events: Success及Failure都打勾  3. Sign out and Sign on a. Signn out  b. Sign on 輸入錯誤密碼後再輸入正確密碼   4. Check Event Viwer a. 找到Logon failed的Log event id: 4625  ### Anything interesting things 剛開始以為每個電腦或每次事件都會產生不同的ID，所以都利用timestamp來猜測對應事件的log，後來才發現原來每個事件會有一個對應的獨立的event id讓尋找Log變得方便精準許多。 Caller Process Name : C:\Windows\System32\svchost.exe 這一個資訊滿有趣的，透過他的位置可以知道他是不是病毒，以前都沒想過這裡可以看到那麼多可能。 ## g : Insert I/O Device > I/O Devices like USB driver or SD Card ### Log information USB insertion is not a logged event in windows event viewer by default. So we use USBlogView and Sysmon to trace the log. From USBLogView ^[8]^  * `Event type` : Plug * 分為Plug及Unplug * `Event Time` : 4/20/2020 8:52:05 PM * Plug的時間 * `Description` : TOSHIBA External USB 3.0 USB Device * 硬碟資訊，可以看出硬碟是TOSHIBA的 * `USB Class` : 08  From Sysmon  * `Logged` : 4/20/2020 5:52:05 PM * USB 插入的時間 * `Task Category` : Driver loaded (ruleL DriverLoad) * 以此判斷出是USB 插入的Log event ### Method 1. 將USB插入  2. 檢查USBLogView  3. 檢查Sysmon  ### Anything interesting things 發現Event Viewr並不紀錄USB Plug 所以需要使用別的工具，我在這邊使用了USBLogViwer以及Sysmon。 透過紀錄USB的Insert紀錄 可以知道系統何時被他人惡意使用，並了解自己的裝置狀態。 ## h : Delete File > Delete a file. (Tip: more than one log.) ### Log information Event id : 4656 ^[13]^ 其Object Name為刪除的檔案 此Event 功用為 A handle to an object was requested. 接著Event 4663 access此 object * Handle ID : 0x285c * This field can help you correlate this event with other events that might contain the same Handle ID, for example, 4663(S) * 依照此Handle ID 找到相關聯的event 4663 * Accesses : * the list of access rights which were requested by Subject\Security ID. * These access rights depend on Object Type Event id : 4663^[14]^ 此Event 用為 An attempt was made to access an object. 此Event執行DELETE Event id :4658^[15]^  紀錄DELETE結束後 close 此 object ### Method 1. Creat a file (NetworkSecurity)   2. Enable ‘Audit Object Access’ through GPO  3. Configure auditing on every file and folder on file servers that you want to audit. a. Righy click Desktop, choose Properties  b. Security -> Advanced  c. click Add  d. click Select a principal, type Everyone to object name, click OK  e. choose the Delete option and Delete subfolders and file option  f. Delete the file  4. EventViwer，可在其中發現許多與刪除時間相同的log  ### Anything interesting things 在刪除檔案後，檢查Log時發現一下子產生了許多Log(共145個Log)，推測是將刪除了檔案移往回收桶，所以才會產生這麼多的Log。 以前以為刪除檔案只是一個簡單的事件，從沒想到刪除一個檔案就會產生這麼多Log。 也觀察到這些Log當中多是Obect的控制及轉移。 ## i : Process terminated > You may kill your process from Task Manager ### Log information  * Log Name: Microsoft-Windows-Sysmon/Operational * Source: Microsoft-Windows-Sysmon * Date: 4/21/2020 1:56:06 PM * Event ID: 5 ^[10]^ * Task Category: Process terminated (rule: ProcessTerminate) * Level: Information * Keywords: * User: SYSTEM * Computer: DESKTOP-IG1J4FR * UtcTime: 2020-04-21 05:56:06.297 * event 發生時的世界協調時間 Coordinated Universal Time * ProcessGuid: {9be8979a-8ab3-5e9e-0000-001026ede902} * ProcessId: 1812 * 在程式尚未終止前可以在Task manger中看到此Process ID  * Image: C:\Users\Lupohsun\ ==HI.exe== ### Method 1. 運行一個簡單的program  2. 關閉Process  3. 到Sysmon中尋找Log  ### Anything interesting things 發現在執行program時會產生一個Process:conhost.exe，以及HI.exe。 推測是用於顯示的背景程序。 Log當中有紀錄UtcTime，不太清楚為什麼紀錄了Logged time後還要記錄UtcTime. ## j : Modify Microsoft Windows Registry >- i. ress and hold or right-click the Start qbutton, then select Run. Enter regedit in the Open: box and selectOK. >- ii. Modify a registry. ### Log information Event ID: 4657  * Log Name: Security * Source: Microsoft-Windows-Security-Auditing * Date: 4/21/2020 5:15:06 PM * 修改之時間 * Event ID: 4657 * Task Category: Registry * Level: Information * Keywords: Audit Success * User: N/A * Computer: DESKTOP-IG1J4FR * Description: A registry value was modified. Subject: * Security ID: DESKTOP-IG1J4FR\Lupohsun * Account Name: Lupohsun * Account Domain: DESKTOP-IG1J4FR * Logon ID: 0x14983EB Object: * Object Name: \REGISTRY\USER\S-1-5-21-696807515-2513110078-2004448820-1000\Software\Microsoft\Internet Explorer\Main * Object Value Name: Start Page * Handle ID: 0x308 * Operation Type: Existing registry value modified * operation 種類為修改registry value Process Information: * Process ID: 0x328 * Process Name: C:\Windows\regedit.exe * 透過執行regdit修改 Change Information: * Old Value Type: REG_SZ * Old Value: http://www.google.com * New Value Type: REG_SZ * New Value: http://go.microsoft.com/fwlink/p/?LinkId=255141 * 從 www.google.com 換成 go.microsoft.com ### Method 1. Turn On Auditing in Group Policy  2. Turn On Auditing on a Domain Controller a.right click Main, click permission  b. click Advanced, click Add on Auditing  c. select Principal type Everyone, choose full control option  3. Modify the Registry(Change IE Home page, old:google.com new:microsoft.com) double click Start Page type http://go.microsoft.com/fwlink/p/?LinkId=255141  4. Check Event Viwer  ### Anything interesting things modify registry 預設不會被記錄在EventViwew中，需要開啟一些選項才會記錄。 改registry時很怕會弄壞系統，所以找了簡單的方式，修改homepage來測試。 不過後來知道可以先將原檔export來復原，放心許多了。 ## Reference [1] [Windows Event ID 4624 – Successful logon] https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4624.html [2] [Event 4625 Audit Failure NULL SID failed network logons] https://serverfault.com/questions/686393/event-4625-audit-failure-null-sid-failed-network-logons [3] [Svchost.exe] https://zh.wikipedia.org/wiki/Svchost.exe [4] [4625(F): An account failed to log on.]https://docs.microsoft.com/zh-tw/windows/security/threat-protection/auditing/event-4625 [5][what is the difference between special logon and logon] https://superuser.com/questions/968108/what-is-the-difference-between-special-logon-logon [6][how to see who logged into a computer] https://www.howtogeek.com/124313/how-to-see-who-logged-into-a-computer-and-when/ [7][where can i find logs on recent usb insertion in -the event viewer] https://superuser.com/questions/1096887/where-can-i-find-logs-on-recent-usb-insertion-in-the-event-viewer [8][USBLogView] https://www.nirsoft.net/utils/usb_log_view.html [9][Track File Deletions and Permission Changes on Windows File Servers] https://www.lepide.com/how-to/track-file-deletions-and-permission-changes-on-file-servers.html [10][Sysmon event ID] https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon [11][How to use Sysmon] https://cqureacademy.com/blog/server-monitoring/sysmon [12][How to use Sysmon] https://www.netadmin.com.tw/netadmin/zh-tw/technology/111D82A739524049A739DE9B518574AD [13][4656] https://docs.microsoft.com/zh-tw/windows/security/threat-protection/auditing/event-4656 [14][4663] https://docs.microsoft.com/zh-tw/windows/security/threat-protection/auditing/event-4663 [15][4658] https://docs.microsoft.com/zh-tw/windows/security/threat-protection/auditing/event-4658