event filtering and searching with xpath and powershell
DESCRIPTION
Event Filtering and Searching with XPath and PowerShell. SCOM ACS bohu žel nebude, zato bude víc ostatního. Ing. Ond řej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint [email protected] | www.sevecek.com. Auditing (2000+). - PowerPoint PPT PresentationTRANSCRIPT
Ing. Ondřej ŠevečekMCSM:Directory | MVP:Enterprise Security |Certified Ethical Hacker | MCSE:[email protected] | www.sevecek.com
Event Filtering and Searching with XPath and PowerShellSCOM ACS bohužel nebude, zato bude víc ostatního
Auditing (2000+)
Granular auditing (2008/Vista+)
Event viewer
Event viewer
Event viewer
Event viewer and XML
XPath
XML "searching" language Quick examples
//State[@code='CZ']//State[population>20]/States/State[starts-with(display, 'C') and @continent='NAM']//State[position()=3]/States/*[starts-with(display, 'C')]//display[starts-with(., 'C')]//display[starts-with(text(), 'C')]
XPath
Event viewermust replace < with < or > with >must replace <= with <=can use only position(), Band() and timediff()today: TimeCreated[timediff(@SystemTime) <= 86400000]]
WEVTUTILnormal operators >, >=, <=, != …
Logon auditing
Account Logon Event– "authentication event"– when an account database validates credentials
Logon Event– "session event"– every time an Access Token is created or closed
NTLM and Schannel network logon
DC2000+
Client2000+
Server2000+
App Traffic
DC2000+
SMBD/COM
In-bandNTLM hash
Pass-through NTLM hash
D/COM Dynamic TCP
Kerberos network logon (basic principle)
DC2000+
Client2000+
Kerberos
Server2000+
App Traffic
TGT: User
In-bandTGS: Server
TGS: Server
Auditing (Interactive Logon)
SQLFS
WFE
DC
Client
Account Logon1
Logon2
Logon types
Type Value
Interactive 2
Network 3
Batch 4
Service 5
Unlock 7
NetworkCleartext 8
NewCredentials 9
RemoteInteractive 10
CachedInteractive 11
CachedRemoteInteractive 12
CachedUnlock 13
Status codes
Status Value
STATUS_WRONG_PASSWORD 0xC000006A
STATUS_PASSWORD_RESTRICTION 0xC000006C
STATUS_LOGON_FAILURE 0xC000006D
STATUS_ACCOUNT_RESTRICTION 0xC000006E
STATUS_INVALID_LOGON_HOURS 0xC000006F
STATUS_INVALID_WORKSTATION 0xC0000070
STATUS_PASSWORD_EXPIRED 0xC0000071
STATUS_ACCOUNT_DISABLED 0xC0000072
STATUS_LOGON_NOT_GRANTED 0xC0000155
STATUS_LOGON_TYPE_NOT_GRANTED 0xC000015B
STATUS_ACCOUNT_EXPIRED 0xC0000193
STATUS_PASSWORD_MUST_CHANGE 0xC0000224
STATUS_ACCOUNT_LOCKED_OUT 0xC0000234
Download err.exe
version 2008– http://www.microsoft.com/en-us/download/details.aspx?id=985
most up-to-date version– SDK for Windows 8.1– http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx
Auditing (Network session)
SQLFS
WFE
DC
Client
Account Logon1
Logon2
immediately at logoff
Auditing (Interactive logoff)
SQLFS
WFE
DC
Client
Logoff1
SQLFS
WFE
when TCP connection closed
Auditing (Network session)
DC
Client
Logoff1
PowerShell notes
Get-WmiObject-Computer-Query
EventCode, InsertionStrings
Timestamps in LDAP
pwdLastSet lastLogon
– non-replicated lastLogonTimestamp lockoutTime badPasswordTime
– non-replicated accountExpires
Logon timestamps
Client
DC
DC
DC
lastLogon 11:38
lastLogon 9:00
lastLogon -
Logon timestamps (2003 DFL)
Client
DC
DC
DC
lastLogon 11:38
lastLogon 9:00
lastLogon -
lastLogonTimestamp 11:00
lastLogonTimestamp 11:00
lastLogonTimestamp 11:00
lastLogonTimestamp
Requires 2003 domain functional level Updated only once per 14-random(5) days
– DC=idtt,DC=local– msDS-LogonTimeSyncInterval– 1+ – minimum without randomization– 5+ – randomization starts– 14 – the default– ...
Authentication failures
Client
PDC
pwd2
DC
pwd2
pwd2
DC
pwd1
Authentication failures
ClientDC
DC
badPasswordCount 3
badPasswordCount 2
PDC
badPasswordCount 7
lockoutTime
DC
badPasswordCount 2
Searching in LDAP
(name=m*) (&(name=m*)(c=cz)) (|(c=cz)(c=de)) (!c=cz) (whenCreated>=20080323205258.0+1200) (whenCreated>=20080323205258.0Z) (pwdLastSet>=128962296000000000) (userAccountControl:1.2.840.113556.1.4.803:=2)
Powershell and DateTime
get-date [DateTime]::Parse("2011-05-28") (get-date).AddDays(-50) ((get-date) –
[DateTime]::Parse("1601-01-01")).Ticks ([DateTime]::Parse("2010-11-28") –
[DateTime]::Parse("1601-01-01")).Ticks ((get-date).AddDays(-50) – [DateTime]::Parse("1601-01-
01")).Ticks
Kurzy Počítačové školy Gopas na www.gopas.cz
GOC170 - AD Monitoring with SCOM and ACSGOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKIGOC174 - SharePoint Architecture and TroubleshootingGOC175 - Advanced SecurityGOC169 - Auditing ISO/IEC 2700x
Získejte tričko TechEd 2014za vyplněný hodnotící dotazník.
Počítačová škola Gopas – Vaše IT škola života