table of Contents
Before doing log analysis, we first need to have a clear idea for this work: to view the logs of which hosts (screening objects) -> where to view (sampling) -> how to view (research and analysis) -> do Keep a good record and keep key screenshots -> report and handle the incident closed loop.
1. Screen and analyze host assets
The principle of screening is the same as the "Preliminary Screening and Checking Assets" in the previous article "Measures for Checking Windows Host Intrusion Traces". It is impossible to check and analyze all the host assets in all areas of the customer in a short time. We What is most needed is to find out the key and difficult points, and focus on the more important host assets that are problematic or prone to problems.
2. Collect log samples
First add a few prerequisites:
① The audit function of the Windows server system must be enabled, and the audit strategy must be configured. Once the system fails or security incidents, you can view the log files of the system, which is helpful for troubleshooting and tracing the intruder's information.
②Logs must be backed up regularly in advance, preferably full offsite backups. Often the intruder is not a fool, and will generally "destroy the dead" or more sophisticated "removing flowers and trees" to tamper with the contents of the log. (At this time, you can talk to customers about the importance of logs and the necessity of protection)
③Do a good job of log file access control, restrict permissions, and maximize the protection to avoid the risk of log deletion and tampering.
The more the above conditions are fully satisfied, the more scientific, authentic and non-repudiation the results of subsequent analysis will be.
The host server version selected this time is windows server 2008 R2
Open the log: Start---->Administrative Tools---->Event Viewer
Generally, the three types of logs we mainly check are: application logs, security logs, and system logs
Application log:
Contains events recorded by applications or system programs, mainly recording events related to program operation, the default storage path: %SystemRoot%\System32\Winevt\Logs\Application.evtx. (In addition, I usually do the host-level check in the security check. There are special check items to view the log, just look at the content here)
Security log: Record system security audit events, including various types of login logs , Object access log, process tracking log, privilege use, account management, policy changes, system events. This log is generally the focus of the security engineer's attention. Default storage path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
System log: records events generated by operating system components, mainly including driver, system components and application software crashes and data loss errors. The default storage path: %SystemRoot%\System32\Winevt\Logs\System.evtx After
understanding this information, we can collect the logs we need. Collecting logs also has an advantage, which is equivalent to another backup , You don’t have to log in to the client’s host server all the time. After the collection, our next main job is to analyze the log.
3. Log analysis
At this point, we also need to know the most common event id:
4624-successful login
4625-failed login
4634/4647-Logout successfully
4648-Log in with explicit credentials (RunAs)
4672-User login with super user authority (Administrator)
4720-Account creation
If you want to know more, you can download a complete set of windows event id and explanation from the Internet.
The key content of the log is as follows:
① Check the traces of brute force cracking in the login log;
②Check the new and modified traces of the account in the account management log;
③Check the login traces in the remote desktop login log.
3.1, brute force cracking account secret log
Case 1: Normal incidents.
Attackers use brute force to break into the system. Regardless of whether they are successful or not, they will leave traces of intrusion in the log. Therefore, incidents with event ids 4624 and 4625 are the first focus of attention. Need to pay attention to the SubjectUserNameIpAddress in the log.
As shown in the figure: The total number of login events is 11968. This number of times is so many because the above screening did not select a specific day and time period. If it is a large number of failed logins, it is absolutely suspicious, but the real situation is a large number of successes, and the ip is the trusted ip of the intranet, and the login information is actually in it. It is also an internal person. The login time is also a normal time period. Find the person to check. Basically It can be judged as a normal event.
Case 2: Intrusion Event
Three consecutive logs were found. From login failure to success, WorkstationName came from a host named kali, and the IP address of kali was finally recorded as 192.168.74.129. In this process, it can be judged that the attacker successfully cracked the administrator's password by brute force through the host of 192.168.74.129, and here is the trace left by the brute force.
3.2. Account management log
Event IDs related to account creation in Windows logs: 4720, 4722, 4724, 4738. After an attacker compromises a Windows host, he may create a backdoor account and hide the account.
Case 1: Normal situation. It
can be seen that there is no new account event in the last 7 days, which is relatively safe.
Case 2: Add aaaaa$ backdoor account It was
discovered that the attacker created a backdoor account. Based on this point in time, it can be determined that a certain method has been used or a vulnerability has been used to obtain server permissions, and other security devices can be further searched on other security devices to determine the attack method against the attack alarm event against the compromised server before this point in time.
3.3, remote desktop login log
The above security log is likely to be overwritten. In order not to miss the traces of intrusion as much as possible, you can further view the login log of the remote desktop. After the attacker establishes the backdoor account, he will connect to the compromised host through the remote desktop, and the login behavior at this time will be recorded in the remote desktop log.
Remote connection log (application and service log->Microsoft->Windows->-TerminalServices->RemoteConnectionManager->Operational), important event ID and meaning:
1149: User authentication succeeded
21: Remote Desktop Service: Session login succeeded
24: Remote Desktop Services: The session has been disconnected
25: Remote Desktop Service: Session reconnected successfully
Therefore, we can look at the event id of 1149 in the application log:
as shown in the figure, no remote connection is found here, and the situation is normal.
After completing the above analysis actions, you can basically find a lot of intrusion traces. The subsequent screenshot records, writing analysis reports, reporting, etc. will not be repeated this time.
I recommend another easy-to-use windows log analysis tool: LogParser Lizard. Its characteristics are that it is relatively easy to use and does not need to memorize cumbersome commands. You only need to make settings and write basic SQL statements to get the results intuitively. A lot of online tutorials. Download link: http://www.lizard-labs.com/log_parser_lizard.aspx (Why didn’t you come up with it earlier, because you don’t understand the analysis principles and ideas, it’s useless to give the tools)
Reprinted: https://www.freebuf.com/articles/neopoints/258131.html