Event 4624 question...
 
Notifications
Clear all

Event 4624 question.

n00bcfe
(@n00bcfe)
Junior Member

I need a spot check. Improper access to server case.

It is my understanding that with event 4624, the subject identifies the user that requested the logon. Therefore, if I see a 4624 event with a system related subject user name or SID (i.e. S-1-0-0), I should ignore (as noise) and that a "real person" did not actually logon during that event timestamp, correct?

Example Event
"<Event xmlns=""http//schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-a5ba-3e3b0328c30d"" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-01-23T134522.3066406Z"" />
<EventRecordID>1096133167</EventRecordID>
<Correlation />
<Execution ProcessID=""604"" ThreadID=""14144"" />
<Channel>Security</Channel>
<Computer>ABCD01.ABCD.local</Computer>
<Security />
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-0-0</Data>
<Data Name=""SubjectUserName"">-</Data>
<Data Name=""SubjectDomainName"">-</Data>
<Data Name=""SubjectLogonId"">0x0000000000000000</Data>
<Data Name=""TargetUserSid"">S-1-5-18</Data>
<Data Name=""TargetUserName"">ABCD01$</Data>
<Data Name=""TargetDomainName"">ABCD</Data>
<Data Name=""TargetLogonId"">0x000000002AAF6033</Data>
<Data Name=""LogonType"">3</Data>
<Data Name=""LogonProcessName"">Kerberos</Data>
<Data Name=""AuthenticationPackageName"">Kerberos</Data>
<Data Name=""WorkstationName""></Data>
<Data Name=""LogonGuid"">4e8efd1d-738f-8559-4568-ad3af200cc42</Data>
<Data Name=""TransmittedServices"">-</Data>
<Data Name=""LmPackageName"">-</Data>
<Data Name=""KeyLength"">0</Data>
<Data Name=""ProcessId"">0x0000000000000000</Data>
<Data Name=""ProcessName"">-</Data>
<Data Name=""IpAddress"">fe8040cdbfa6bb89e4</Data>
<Data Name=""IpPort"">18346</Data>
</EventData>
</Event>

However, in this example below, the subject is a true user account tied to a domain user individual, and in this case, we can make the case that this user or someone using his/her account initiated logon with the account. In other words, a "real person" caused this event to get logged, and not something systematic. Correct?

"<Event xmlns=""http//schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-a5ba-3e3b0328c30d"" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-01-23T153327.5205078Z"" />
<EventRecordID>1096161342</EventRecordID>
<Correlation />
<Execution ProcessID=""604"" ThreadID=""8968"" />
<Channel>Security</Channel>
<Computer>ABCD01.ABCD.local</Computer>
<Security />
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-3243979364-492834352-576043157-1127</Data>
<Data Name=""SubjectUserName"">sp0005</Data>
<Data Name=""SubjectDomainName"">ABCD</Data>
<Data Name=""SubjectLogonId"">0x0000000021A906CE</Data>
<Data Name=""TargetUserSid"">S-1-5-21-3243979364-492834352-576043157-1127</Data>
<Data Name=""TargetUserName"">sp0005</Data>
<Data Name=""TargetDomainName"">ABCD</Data>
<Data Name=""TargetLogonId"">0x000000002B0AC90E</Data>
<Data Name=""LogonType"">9</Data>
<Data Name=""LogonProcessName"">Advapi </Data>
<Data Name=""AuthenticationPackageName"">Negotiate</Data>
<Data Name=""WorkstationName""></Data>
<Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""TransmittedServices"">-</Data>
<Data Name=""LmPackageName"">-</Data>
<Data Name=""KeyLength"">0</Data>
<Data Name=""ProcessId"">0x00000000000032FC</Data>
<Data Name=""ProcessName"">C\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\UserCode\SPUCHostService.exe</Data>
<Data Name=""IpAddress"">-</Data>
<Data Name=""IpPort"">-</Data>
</EventData>
</Event>
"

Quote
Topic starter Posted : 22/12/2019 2:39 am
athulin
(@athulin)
Community Legend

It is my understanding that with event 4624, the subject identifies the user that requested the logon. Therefore, if I see a 4624 event with a system related subject user name or SID (i.e. S-1-0-0), I should ignore (as noise) and that a "real person" did not actually logon during that event timestamp, correct?

Not entirely. The subject identifies the account that requested the logon. Anything (real user, system process, …) that can get that access (real login, impersonation, etc) can cause that.

It may also matter what OS release is producing these messages. I expected a couple of additional fields, but as they're not here this may be a pre-2012 system?

However, in this example below, the subject is a true user account tied to a domain user individual, and in this case, we can make the case that this user or someone using his/her account initiated logon with the account. In other words, a "real person" caused this event to get logged, and not something systematic. Correct?

See above. If you need to show that a real user was active, you do that by other means. In this case you have a LogonType of 9, which indicates an action on behalf of a user, such as RunAs, or an mount/remount of a remote file share. This may be done by an active real user, but it needn't be. It could (in theory) just as well be a process that does periodic references to a remote share – such as some backup software does. You can usually identify those by looking for similar entries over a longer period.

You don't have a WorkStation entry, which may indicate that this is not a real user. Unless the logging application simply doesn't log that information. But you have to know the application for that. Again, checking all entries from this particular event source may help.

As you only refer to your understanding as basis for interpretation, I can't interpret how well founded it really is. Most people interpret security logs many moves removed from what it means – this is especially true for logon events, often misunderstanding of what LogOn means in MS logs. I can't say if this is the case here or not – but the risk seems to be here. In general, unless you can state (with source references) why a particular interpretation is correct, don't state the interpretation. (This is one of the areas where I think there should be Microsoft training as a basis for any forensic interpretation.)

I find the site https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624 very useful as help in such interpretation. But unless I can repeat the log entry by performing the suspected action using a test account, or find equally compelling reasons, I would not assert that a particular action or state is at hand. (If you never used ultimatewindowssecurity, I would suggest that you must read
https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter5 closely as well as everything mention in the Discussions section regardless of what entry you're looking at.)

ReplyQuote
Posted : 22/12/2019 6:48 am
Bunnysniper
(@bunnysniper)
Active Member

The first logon was done by the SYSTEM process- noise in 99,9999% of all cases. Some more experienced threat actors (dont want to write APT for that) are using the SYSTEM process to hide their "work". Generating a timeline for a breach might confirm such a scenario. Here it is very unlikely. Kerberos was used here, so a direct connection from a domain member inside a network.

The second logon was done via a web interface/ website. "advapi" is the proxy process you see in these cases. Likely that the user entered his credentials on a website or service and this webserver process impersonated the logon. "advapi" is used for that. If it was not the user itself, some other process has used a HTTP(S) connection and authenticated. Verify this from the browser history of the user if you can.

regards, Robin

ReplyQuote
Posted : 22/12/2019 11:36 am
Share:
Share to...