[DFSci] (no subject)

Mcleod S fe0742 at gmail.com
Fri Aug 2 05:35:01 PDT 2019 

Thank all of you for your advice.  I’ve reviewed lots of resources online
but wanted to make sure I wasn’t overlooking anything for this type of
examination, and as I thought, I definitely was based on some of your input.

Thanks again

On Thu, Aug 1, 2019 at 9:53 PM Brunty, Josh <josh.brunty at marshall.edu>
wrote:

> Beginning in Win2K8 and on, EventID codes were merged into only a few
> different ID's (compared to XP which had nearly 2 dozen EventID's).  The
> 4625 eventID you mentioned indeed indicate logon failures and are common
> ID's generated for brute force/password guessing attacks. That said, here's
> some other EventID's you might want to focus on:
>
> 4624- Successful Logon
> 4625- Failed Logon
> 4634/4647- Successful logoff (Note: Windows doesn't always reliably record
> 4634 events so also look for 4647 events, which are user-initiated logoffs
> for interactive logins).
> 4648- Logon using explicit credentials (also known as RunAs, or if the
> application is run as the administrator and those admin credentials are
> entered by the user).
> 4672- Account Logon with superuser (Administrator) rights
> 4720- Account was created
>
> Here's a great link with all of the EventID's including those above:
> https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
>
> Another item to possibly focus on is the "Logon Type." I'm assuming by
> your reference to the 4625 events that you have access to EVTX logs so for
> each login event you should see an entry for "Logon Type." Typically it's a
> number between 2-13. These event codes can give you very specific
> information on "how" the login occurred.  For example, a Login Type Code 10
> indicates a Remote Interactive Logon (i.e. Terminal Services/Remote
> Desktop).  I've found these to be extremely helpful to me in determining
> the "soup-to-nuts" per-se of how the logon process actually went down.
>
> Here's a good resource of all of these different codes.
> http://techgenix.com/Logon-Types/
>
> I hope these little tidbits help you out some.  If you need some more
> guidance please don't hesitate at all to contact me off-list and I'll be
> glad to help you out in any way I can.
>
> Regards,
> Josh
>
> Josh Brunty
> Professor- Digital Forensics & Information Assurance
> Marshall University
> Email: josh.brunty at marshall.edu
> Office: 304-691-8962
>
> On 8/1/19, 7:39 PM, "DFSci on behalf of Mcleod S" <
> dfsci-bounces at lists.dfrws.org on behalf of fe0742 at gmail.com> wrote:
>
>     Hello,
>
>     We have a windows machine that we’ve identified multiple event IDs
> 4625.
>     It appears to be a brute force attack.    Can anyone please recommend
> any
>     documentation or resource that would show which artifacts should be
>     examined next to determine if the attack was successful and if any
> changes
>     were made to the machine.  I know this is a broad question but we’re
> really
>     just looking for a “next steps to take” sort of guide.
>
>     Thanks
>     _______________________________________________
>     DFSci mailing list
>     DFSci at lists.dfrws.org
>
>     Manage your subscription at:
>
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flists.dfrws.org%2flistinfo.cgi%2fdfsci-dfrws.org&c=E,1,NvYgpetmNwx-fd7Hn3zmOh7OSUxwKJYifhBiS1cqmBpMTSsD_M8E7QglCo_SV8naj-l6pHlqSmiefhwbDNQXGWyDMbZ_zylY7rWPCHdpKKvDC0BF&typo=1
>
>
>

More information about the DFSci mailing list