Windows日志分析(上)
前排提示: 使用手机预览的时候, 横屏预览更佳~
在我们Blue Team,针对Windows日志分析的场景占绝大多数,Windows 事件日志记录提供了源、用户名、计算机、事件类型和级别等详细信息,并显示应用程序和系统消息的日志,包括错误、信息消息和警告。多年来,微软不断提高其审计设施的效率和有效性。现代 Windows 系统可以以最小的系统影响记录大量信息。
一般来说企业会选择一种工具来获取日志,这个工具叫做Security information and event management(SIEM)即安全,信息和事件管理。在 Windows 系统上配置足够的日志记录,并在理想情况下将这些日志聚合到 SIEM 或其他日志聚合器中,能够确保我们在SIEM中的搜索语句找到自己想要的日志。
如文章有错误欢迎指出,愿意听取意见!
1. 事件日志格式
现代 Windows 系统默认以二进制 XML Windows 事件日志格式将日志存储在 %SystemRoot%System32winevtlogs 目录中,后缀名为.evtx 。也可以使用日志订阅远程存储日志。事件可以记录在不同地方的日志当中,例如:安全、系统和应用程序事件,它们也可能出现在其他几个日志文件中。安装程序事件日志记录安装 Windows 期间发生的活动。
-
Forwarded Logs 事件日志是记录从其他系统接收到的事件的默认位置。但还有许多其他日志,列在事件查看器中的应用程序和服务日志下,记录与特定类型活动相关的详细信息。 -
Log Name(日志名称): 这是存储事件的事件日志的名称,当我们在同一个系统当中提取大量的日志的时候,会很有用(例如用作索引). -
Source(源): 生成事件的服务(Services)、Microsoft的组件或者应用程序。 -
Event ID(事件ID): 分配给每个类型的审计活动的代码。 -
Level(级别): 分配给相关事件的严重性 -
User(用户):触发发这个事件所涉及的用户或源。但是这个字段的用户通常表示的是系统而不是记录事件原因的用户。 -
OpCode: 由生成的日志的源来分配。 -
Logged: 记录事件的本地系统日期和事件 -
Task Category(任务分类): 由生成日志的源分配。 -
Keywords(关键字): 由源分配,用于对事件进行分组或者排序。 -
Computer(计算机): 记录事件的计算机。这个在我们检查多个计算机的日志的时候很有用,但是我们通常不会讲它作为导致事件的设备。一个经典的例子(当启动远程登录的时候-mstsc(Microsoft terminal services client)计算机字段扔回显示记录事件的系统的名称,不是连接的来源) -
Description(描述): 记录了事件的附加信息,这个描述一般为安全分析师或者蓝队最重要的领域。
2. Windows日志分析的类型
-
账户管理系统事件 -
账户登录和登录事件 -
常见的事件ID4768结果的代码 -
登录事件类型以及代码说明 -
常见的登录失败状态码 -
访问共享对象(例如smb) -
计划任务日志 -
对象访问审计 -
审计政策变更 -
审核Windows服务 -
无线局域网(WLAN)审计 -
过程跟踪 -
附加程序执行记录 -
PowerShell审核
1. 账户管理系统事件
| 事件ID | 描述 | Description |
|---|---|---|
| 4720 | 一个用户被创建了 | A user account was created. |
| 4722 | 一个用户被启用了 | A user account was enabled. |
| 4723 | 用户试图更改帐户的密码 | A user attempted to change an account's password. |
| 4724 | 尝试重置帐户密码 | An attempt was made to reset an account's password. |
| 4725 | 一个用户账户被禁用 | A user account was disabled. |
| 4726 | 一个账户被删除了 | A user account was deleted. |
| 4727 | 创建了一个启用安全性的全局组 | A security-enabled global group was created. |
| 4728 | 成员已添加到启用安全性的全局组 | A member was added to a security-enabled global group. |
| 4729 | 已从启用安全性的全局组中删除成员 | A member was removed from a security-enabled global group. |
| 4730 | 已删除启用安全性的全局组 | A security-enabled global group was deleted. |
| 4731 | 已创建启用安全性的本地组 | A security-enabled local group was created. |
| 4732 | 成员已添加到启用安全性的本地组 | A member was added to a security-enabled local group. |
| 4733 | 已从启用安全性的本地组中删除成员 | A member was removed from a security-enabled local group. |
| 4734 | 已删除启用安全性的本地组 | A security-enabled local group was deleted. |
| 4735 | 启用了安全性的本地组已更改 | A security-enabled local group was changed. |
| 4737 | 启用了安全性的全局组已更改 | A security-enabled global group was changed. |
| 4738 | 用户帐户已更改 | A user account was changed. |
| 4741 | 创建了一个计算机帐户 | A computer account was created. |
| 4742 | 一个计算机账户已被更改 | A computer account was changed. |
| 4743 | 一个计算机账户已被删除 | A computer account was deleted. |
| 4754 | 创建了启用安全性的通用组 | A security-enabled universal group was created. |
| 4755 | 启用了安全性的通用组已更改 | A security-enabled universal group was changed. |
| 4756 | 成员已添加到启用安全性的通用组 | A member was added to a security-enabled universal group. |
| 4757 | 已从启用安全性的通用组中删除成员 | A member was removed from a security-enabled universal group. |
| 4758 | 已删除启用安全性的通用组 | A security-enabled universal group was deleted. |
| 4798 | 枚举了用户的本地组成员身份.大量此类事件可能表明存在攻击者帐户枚举 | A user's local group membership was enumerated. Large numbers of these events may be indicative of adversary account enumeration. |
| 4799 | 枚举了启用安全性的本地组成员身份. 大量这些事件可能表明对组枚举。 | A security-enabled local group membership was enumerated. Large numbers of these events may be indicative of adversary group enumeration. |
2. 账户登录和登录日志
帐户登录是 Microsoft 用于身份验证的术语。登录是用于指代获得对资源的访问权限的帐户的术语。帐户登录和登录事件都将记录在安全事件日志中。域帐户的身份验证(帐户登录)由 Windows 网络中的域控制器执行。
本地帐户(那些存在于本地 SAM 文件中而不是作为 Active Directory 的一部分的帐户)由它们所在的本地系统进行身份验证。执行身份验证的系统将记录帐户登录事件。通过组策略轻松设置帐户登录和登录事件的审核。
虽然随着新版本 Windows 的发布,Microsoft 在默认情况下继续启用更多日志记录,但管理员应定期查看其审核策略,以确保所有系统都生成足够的日志。
对域用户进行身份验证的域控制器上比较有趣的事件 ID 包括:
| 事件ID | 描述 | Description |
|---|---|---|
| 4768 | TGT 的成功颁发表明用户帐户已通过域控制器的身份验证。事件描述的网络信息部分包含远程登录尝试时有关远程主机的附加信息。关键字字段指示身份验证尝试是成功还是失败。如果身份验证尝试失败,事件描述中的结果代码会提供有关失败原因的附加信息,一些更常见的代码是: | The successful issuance of a TGT shows that a user account was authenticated by the domain controller. The Network Information section of the event description contains additional information about the remote host in the event of a remote logon attempt. The Keywords field indicates whether the authentication attempt was successful or failed. In the event of a failed authentication attempt, the result code in the event description provides additional information about the reason for the failure, .Some of the more commonly encountered codes are: |
3. 常见事件 ID 4768 代码
| 十进制 | 十六进制 | 含义 |
|---|---|---|
| 6 | 0x6 | 用户名无效-Username not valid. |
| 12 | 0xC | 禁止此登录的策略限制(例如工作站限制或时间限制)Policy restriction prohibiting this logon (such as a workstation restriction or time-of-day restriction). |
| 18 | 0x12 | 帐户被锁定、禁用或过期。The account is locked out, disabled, or expired. |
| 23 | 0x17 | 该帐户的密码已过期。The account's password is expired. |
| 24 | 0x18 | 密码不正确。The password is incorrect. |
| 32 | 0x20 | 票证已过期(在计算机帐户上很常见)。The ticket has expired (common on computer accounts). |
| 37 | 0x25 | 时钟偏差太大。The clock skew is too great. |
参考: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768[1]
| 事件ID | 描述 | Description |
|---|---|---|
| 4769 | 用户帐户为指定资源请求了服务票据。此事件描述显示发出请求的系统的源IP、使用的用户帐户以及要访问的服务。这些事件提供了有用的证据来源,因为它们跟踪经过身份验证的用户在网络上的访问。 | A service ticket was requested by a user account for a specified resource. This event description shows the source IP of the system that made the request, the user account used, and the service to be accessed. These events provide a useful source of evidence as they track authenticated user access across the network. |
| 4770 | 服务票据已更新。记录帐户名称、服务名称、客户端IP 地址和加密类型。 | A service ticket was renewed. The account name, service name, client IP address, and encryption type are recorded. |
| 4771 | 根据Kerberos 登录失败的原因,将创建事件ID 4768 或事件ID 4771。无论哪种情况,事件描述中的结果代码都会提供有关失败原因的附加信息。 | Depending on the reason for a failed Kerberos logon, either Event ID 4768 or Event ID 4771 is created. In either case, the result code in the event description provides additional information about the reason for the failure. |
| 4776 | 此事件ID 会记录NTLM 身份验证尝试。事件描述的网络信息部分包含远程登录尝试时有关远程主机的附加信息。关键字字段表示身份验证尝试是成功还是失败。 | This event ID is recorded for NTLM authentication attempts. The Network Information section of the event description contains additional information about the remote host in the event of a remote logon attempt. The Keywords field indicates whether the authentication attempt succeeded or failed. |
4. 登录事件类型以及代码说明
常见事件 ID 4776 错误代码说明
| 错误代码 | 含义 | Meaning |
|---|---|---|
| 0xC0000064 | 用户名不正确 | The username is incorrect. |
| 0xC000006A | 密码不正确 | The password is incorrect. |
| 0xC000006D | 一般登录失败。源计算机和目标计算机之间的LAN Manager 身份验证级别可能有错误的用户名或密码或不匹配。 | Generic logon failure. Possibly bad username or password or mismatch in the LAN Manager Authentication Level between the source and target computers. |
| 0xC000006F | 授权时间以外的帐户登录。 | Account logon outside authorized hours. |
| 0xC0000070 | 从未经授权的工作站登录帐户。 | Account logon from unauthorized workstation. |
| 0xC0000071 | 使用过期密码登录帐户。 | Account logon with expired password. |
| 0xC0000072 | 帐户登录到管理员禁用的帐户。 | Account logon to account disabled by administrator. |
| 0xC0000193 | 使用过期帐户登录。 | Account logon with expired account. |
| 0xC0000224 | 标记下次登录时更改密码的帐户登录。 | Account logon with Change Password At Next Logon flagged. |
| 0xC0000234 | 账户登录了被锁定的账户。 | Account logon with account locked. |
| 0xc0000371 | 本地帐户存储不包含指定帐户的机密资料。 | The local account store does not contain secret material for the specified account. |
参考 https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776[2]
在被访问的系统上,需要注意的事件 ID 包括:
| 事件ID | 描述 | Description |
|---|---|---|
| 4624 | 已登录到系统。类型2 表示交互式(通常是本地)登录,而类型3 表示远程或网络登录。事件描述将包含有关所涉及的主机和帐户名称的信息。对于远程登录,请关注远程主机信息的事件描述的网络信息部分。 | A logon to a system has occurred. Type 2 indicates an interactive (usually local) logon, whereas a Type 3 indicates a remote or network logon. The event description will contain information about the host and account name involved. For remote logons, focus on the Network Information section of the event description for remote host information. |
登录事件在事件描述中包含一个类型代码:
| 登录类型 | 描述 | Description |
|---|---|---|
| 2 | 交互式,例如在系统的键盘和屏幕上登录,或远程使用第三方远程访问工具(如VNC)或带有-u 开关的psexec。这种类型的登录将在会话期间将用户的凭据缓存在RAM 中,并可能将用户的凭据缓存在磁盘上。 | Interactive, such as logon at keyboard and screen of the system, or remotely using third-party remote access tools like VNC, or psexec with the -u switch. Logons of this type will cache the user's credentials in RAM for the duration of the session and may cache the user's credentials on disk. |
| 3 | 网络,例如从网络上的其他地方访问此计算机上的共享文件夹。这表示非交互式登录,它不会将用户的凭据缓存在RAM 或磁盘上。 | Network, such as access to a shared folder on this computer from elsewhere on the network. This represents a noninteractive logon, which does not cache the user's credentials in RAM or on disk. |
| 4 | 批处理(表示计划任务)。批处理登录类型由批处理服务器使用,其中进程可以代表用户执行而无需他们的直接干预。 | Batch (indicating a scheduled task). Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service 表示服务已由服务控制管理器启动。 | Service indicates that a service was started by the Service Control Manager. |
| 7 | Unlock 表示带有密码保护屏幕的工作站已解锁 | Unlock indicates that an unattended workstation with a password protected screen is unlocked |
| 8 | NetworkCleartext 表示用户从网络登录到这台计算机,并且用户的密码以其未散列的形式传递给身份验证包。内置身份验证会在通过网络发送所有哈希凭据之前对其进行打包。凭证不会以明文(也称为明文)形式遍历网络。 | NetworkCleartext indicates that a user logged on to this computer from the network and the user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). Most often indicates a logon to Internet Information Services (IIS) with basic authentication. |
| 9 | NewCredentials 表示用户使用备用凭据登录以执行操作,例如使用RunAs 或映射网络驱动器。如果想跟踪尝试使用备用凭据登录的用户,需要查找查找事件ID 4648。 | NewCredentials indicates that a user logged on with alternate credentials to perform actions such as with RunAs or mapping a network drive. If you want to track users attempting to log on with alternate credentials, also look for Event ID 4648. |
| 10 | RemoteInteractive 指示交互式登录的终端服务、远程桌面或远程协助。 | RemoteInteractive indicates that Terminal Services, Remote Desktop, or Remote Assistance for an interactive logon. |
| 11 | CachedInteractive(使用缓存的域凭据登录,例如在远离网络时登录笔记本电脑时)。没有联系域控制器来验证凭据,因此不会生成帐户登录条目。 | CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network). The domain controller was not contacted to verify the credential, so no account logon entry is generated. |
| 事件 | 描述 | Description |
|---|---|---|
| 4625 | 登录尝试失败。整个网络中的大量此类可能表明密码猜测或密码喷洒攻击。同样,事件描述的网络信息部分可以提供有关尝试登录系统的远程主机的有价值信息。请注意,通过RDP 失败的登录可能会记录为类型3 而不是类型10,具体取决于所涉及的系统。您可以通过查阅事件描述的"失败信息"部分来确定有关失败原因的更多信息。 | A failed logon attempt. Large numbers of these throughout a network may be indicative of password guessing or password spraying attacks. Again, the Network Information section of the event description can provide valuable information about a remote host attempting to log on to the system. Note that failed logons over RDP may log as Type 3 rather than Type 10, depending on the systems involved. You can determine more about the reason for the failure by consulting the Failure Information section of the event description. |
事件 ID 4625 中的状态代码提供了有关该事件的其他详细信息:
4. 常见登录失败状态码
| 状态码 | 描述 | Description |
|---|---|---|
| 0XC000005E | 当前没有可用于服务登录请求的登录服务器。 | Currently no logon servers are available to service the logon request. |
| 0xC0000064 | 用户使用拼写错误或错误的用户帐户登录。 | User logon with misspelled or bad user account. |
| 0xC000006A | 用户使用拼写错误或错误的密码登录。 | User logon with misspelled or bad password. |
| 0XC000006D | 这可能是由于用户名错误或身份验证信息不正确造成的。 | This is either due to a bad username or incorrect authentication information. |
| 0XC000006E | 未知用户名或错误密码。 | Unknown username or bad password. |
| 0xC000006F | 用户在授权时间之外登录。 | User logon outside authorized hours. |
| 0xC0000070 | 用户从未经授权的工作站登录。 | User logon from unauthorized workstation. |
| 0xC0000071 | 用户使用过期密码登录。 | User logon with expired password. |
| 0xC0000072 | 用户登录帐户被管理员禁用。 | User logon to account disabled by administrator. |
| 0XC00000DC | 指示服务器处于错误状态以执行所需的操作。 | Indicates the Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | 域控制器和其他计算机之间的时钟不同步了。 | Clocks between domain controller and other computer too far out of sync. |
| 0XC000015B | 用户在这台机器上没有被授予请求的登录类型(也称为登录权限)。 | The user has not been granted the requested logon type (also known as logon right) at this machine. |
| 0XC000018C | 登录请求失败,因为主域和信任域之间的信任关系失败。 | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | 尝试登录,但未启动Netlogon 服务。 | An attempt was made to log on, but the Netlogon service was not started. |
| 0xC0000193 | 用户使用过期帐户登录。 | User logon with expired account. |
| 0XC0000224 | 用户需要在下次登录时更改密码。 | User is required to change password at next logon. |
| 0XC0000225 | 显然是Windows 中的错误而不是风险。 | Evidently a bug in Windows and not a risk. |
| 0xC0000234 | 用户登录锁定的账户。 | User logon with account locked. |
| 0XC00002EE | 失败原因:登录时出错。 | Failure Reason: An error occurred during logon. |
| 0XC0000413 | 登录失败:登录的机器受到身份验证防火墙的保护。不允许指定的帐户对机器进行身份验证。 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 事件ID | 描述 | Description |
|---|---|---|
| 4634/4647 | 用户注销由事件ID 4634 或事件ID 4647 记录。没有显示注销的事件不应被视为过度可疑,因为在许多情况下Windows 在记录事件ID 4634 时不一致。登录ID 字段可用于将事件ID 4624 登录事件与关联的注销事件联系起来(登录ID 在同一台计算机上的重新启动之间是唯一的)。 | User logoff is recorded by Event ID 4634 or Event ID 4647. The lack of an event showing a logoff should not be considered overly suspicious, as Windows is inconsistent in logging Event ID 4634 in many cases. The Logon ID field can be used to tie the Event ID 4624 logon event with the associated logoff event (the Logon ID is unique between reboots on the same computer). |
| 4648 | 尝试使用显式凭据登录。当用户尝试使用与当前登录会话不同的凭据时(包括绕过用户帐户控制[UAC] 以打开具有管理员权限的进程),将记录此事件。 | A logon was attempted using explicit credentials. When a user attempts to use credentials other than the ones used for the current logon session (including bypassing User Account Control [UAC] to open a process with administrator permissions), this event is logged. |
| 4672 | 当与提升或管理员访问权限关联的某些特权被授予登录时,会记录此事件ID。与所有登录事件一样,事件日志将由正在访问的系统生成。 | This event ID is recorded when certain privileges associated with elevated or administrator access are granted to a logon. As with all logon events, the event log will be generated by the system being accessed. |
| 4778 | 当会话重新连接到Windows 工作站时,会记录此事件。当通过快速用户切换切换用户上下文时,这可能在本地发生。 | This event is logged when a session is reconnected to a Windows station. This can occur locally when the user context is switched via fast user switching. |
| 4779 | 会话断开时记录此事件。当通过快速用户切换切换用户上下文时,这可能在本地发生。当会话通过RDP 重新连接时,也会发生这种情况。如前所述,使用事件ID 4637 或4647 记录RDP 会话的完全注销。 | This event is logged when a session is disconnected. This can occur locally when the user context is switched via fast user switching. It can also occur when a session is reconnected over RDP. A full logoff from an RDP session is logged with Event ID 4637 or 4647 as mentioned earlier. |
尚未完结
-
感谢各位师傅看到这里, 创作不易, 排版不易, 建议收藏(吃灰)
-
如果您想联系我, 可以直接添加我的微信号ID: wengchensmile, 来技术交流.
-
我们下期再见!
尚未完结
-
感谢各位师傅看到这里, 创作不易, 排版不易, 建议收藏(吃灰) -
如果您想联系我, 可以直接添加我的微信号ID: wengchensmile, 来技术交流. -
我们下期再见!
参考资料
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
[2]
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
原文始发于微信公众号(Aaron与安全的那些事):【Part I】Windows事件分析宝典
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论