Accounts usage
Automated accounts usage extraction and parsing
The following LogParser.exe
query extract and parse multiple Security
events related to Windows logon into an output CSV
file. The following events ID
are processed: 4624, 4625, 4634, 4647, 4648, 4772, 4778, 4779, 4800, 4801, 4802, and 4803.
This query can prove useful for analysis of events from both Domain Controllers and Windows servers or workstations.
The query is implemented in KAPE
as the Logon-Logoff-events
module.
Active Directory
Summary
Note that the events presented below are only the ones related to account usage centralized on the Domain Controllers from activity on the remote systems integrated in the Active Directory domain. The events logged for account usage on the Domain Controllers themselves are similar to standard Windows systems (and are thus detailed in the sections Destination machine and Source machine below).
EVTX
Security.evtx
Default configuration.
EVTX
Security.evtx
Default configuration.
Event 4625: An account failed to log on
.
EVTX
Security.evtx
Default configuration.
Event 4768: A Kerberos authentication ticket (TGT) was requested
.
EVTX
Security.evtx
Default configuration.
Event 4769: A Kerberos service ticket was requested
.
EVTX
Security.evtx
Default configuration.
Event 4771: Kerberos pre-authentication failed
.
EVTX
Security.evtx
Default configuration.
Event 4776: The domain controller attempted to validate the credentials for an account
.
LogonTracer
LogonTracer
is a tool to display Active Directory logon-related events as a graph. Logon events are represented as two nodes, the host (hostname or IP address) and the account name, linked by the event information (event ID
, number of occurrences, etc.).
The following events ID
are processed: 4624, 4625, 4768, 4769, 4776, and 4672.
Events can be filtered on a number of criteria:
The host(s) (hostname or IP) or user(s) concerned by the logon.
If the authentication provider is
NTLM
(AuthName: NTLM).The logon type:
RDP
(Logon type 10),Network
(Logon type 3),Batch
(Logon type 4), andService
(Logon type 5).If the logon was associated to special privileges (
event ID
4672).etc.
Destination machine
Summary
EVTX
Security.evtx
Default configuration.
EVTX
Security.evtx
Default configuration.
Event 4625: An account failed to log on
.
Legacy:
Events 529
, 530
, 531
, 532
, 533
, 534
, 535
, 536
, 537
, and 539
.
EVTX
Security.evtx
Default configuration. Only logged on for logon with elevated privileges.
EVTX
Security.evtx
Default configuration.
Event 4634: An account was logged off
.
Legacy:
Events 538: User Logoff
.
EVTX
Security.evtx
Default configuration.
Only logged on for Interactive
and RemoteInteractive
logons.
Event 4647: User initiated logoff
.
Legacy:
Events 551: User initiated logoff
.
EVTX
Security.evtx
Requires Audit Other Logon/Logoff Events
.
Event 4649: A replay attack was detected
.
Event 4778: A session was reconnected to a Window Station
.
Event 4779: A session was disconnected from a Window Station
.
Event 4800: The workstation was locked
.
Event 4801: The workstation was unlocked
.
Event 4802: The screen saver was invoked
.
Event 4803: The screen saver was dismissed
.
Event 5378: The requested credentials delegation was disallowed by policy
.
Event 5632: A request was made to authenticate to a wireless network
.
Event 5633: A request was made to authenticate to a wired network
.
Source machine
Summary
EVTX
Security.evtx
Default configuration. Only logged whenever alternate credentials are used.
Event 4648: A logon was attempted using explicit credentials
.
Legacy:
Events 552: Logon attempt using explicit credentials
.
Events details
Security Event ID 4624
Location: destination machine Security.evtx
.
Event ID: 4624: An account was successfully logged on
.
Privileged logon will generate an additional Security
event: 4672: Special privileges assigned to new logon
.
The 4624
event yields information such as:
The SID
SubjectUserSid
, account nameSubjectUserName
, and domainSubjectDomainName
of the user logging in.the source machine hostname
WorkstationName
, IPIpAddress
and portIpPort
if the event corresponds to remote login (otherwise the three aforementioned fields are set to-
).The authentication protocol in the
AuthenticationPackageName
field (NTLM
,Kerberos
orNegotiate
) used for the logging. If the logon is made through theNTLM
protocol, theLmPackageName
field precisely identify theNTLM
version in use (LM
,NTLM V1
,NTLM V2
).The logon type in the
LogonType
field (detailed below).The privileges level in the
ElevatedToken
field. If set to%%1842
(Yes
), the session the event represents runs in a elevated context. The event can be correlated with theSecurity
eventEID: 4672
to precisely identify the privilege tokens of the session.The impersonation level of the event in the
ImpersonationLevel
field (detailed below).the
LogonID
field identifying the logon session, which can be correlated with various otherSecurity
events.
The LogonType
field provides information on how the logging was established:
2
Interactive logon.
Logon type generated for on screen login at the keyboard as well as some remote access with specific tools.
Note that access made using PsExec
with an user specified using the -u
option will result in an interactive logon.
3
Network logon (share access, etc.).
Logon type generated for access over the network (access to SMB
share, PsExec
, WMI
/ WinRM
, etc.).
4
Batch logon (scheduled task)
5
Service logon (service startup)
7
Unlock (on screen unlocking)
8
NetworkCleartext authentication (usually HTTP basic authentication)
9
NewCredentials authentication (does not seem to be in use)
10
RemoteInteractive authentication (Terminal Services, Remote Desktop or Remote Assistance)
11
CachedInteractive authentication (logging using cached credentials when a domain controller cannot be reached)
Interactive logons (Logon type 2
and Logon type 10
) will result in the storing of the given users secrets (NTLM
hash or Kerberos
tickets) in LSASS
memory. Knowing which users logged on interactively on a system can help determine which accounts could be compromised following the takeover of a system by an attacker.
The ImpersonationLevel
field may take the following values:
-
SecurityAnonymous
The server process cannot obtain security information about the client.
%%1832
Identification
The server process can obtain information about the client but cannot impersonate the client and thus the client has no privileges.
%%1833
Impersonation
The server process can obtain information and impersonate the client's security context on the local system.
%%1840
Delegation
The server process can impersonate the client's security context on remote systems.
Security Event ID 4672
Location: destination machine Security.evtx
.
Event ID: 4672: Special privileges assigned to new logon
.
This event occurs whenever an account is assigned one, or more, of the following privileges:
SeTcbPrivilege
SeBackupPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege
SeAuditPrivilege
SeImpersonatePrivilege
SeLoadDriverPrivilege
SeSecurityPrivilege
SeSystemEnvironmentPrivilege
SeAssignPrimaryTokenPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
The SubjectLogonId
field can be correlated with the Security
event EID: 4624
in order to retrieve more information on the logon session.
Security Event ID 4634 / 4647
Location: destination machine Security.evtx
.
Event ID: 4634: An account was logged off
Event ID: 4647: User initiated logoff
.
Security Event ID 4648
Windows Security Log Event ID 4648 4648: A logon was attempted using explicit credentials
Logged on client. Includes information about the target server: Target Server Name
(hostname or IP) and Additional Information
of the service requested.
References
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 https://docs.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4624 https://docs.microsoft.com/fr-fr/windows/security/threat-protection/auditing/event-4688
Last updated