Windows Artifacts - Operating System Flashcards
Operating System
This is a brand-new lesson that was added to the course on 27/06/2022. Please be patient while we add the content! None of the content in this lesson (or the associated lab) is required for the BTL1 exam, so this should be considered as optional content.
In this lab we’re going to explore some core Windows OS artifacts that can help us to understand the activity conducted on a system. We will be focusing on:
Logon Events
RDP Usage
Cookies
Recycle Bin
At the end of this lesson we’ll have a lab where you can practice acquiring and analyzing these artifacts yourself using tools such as Autopsy, and others.
Logon Events: Artifact Description
Identifying what user accounts have logged into a system, and at what time, can be useful for both digital forensic investigations, and incident response. Doing so can help us attribute activity to a user account by showcasing they were the account signed in before these events occurred. For this artifact, we’re looking specifically at:
Event ID 4624 (Successful Logon)
ID 4672 (Special Logon)
ID 4625 (Failed Logon)
and ID 4634 (Logoff)
Logon Events: Artifact Location
Windows Event Logs are stored at the following location: C:\Windows\System32\winevt\Logs.
The logs we’re interested in are stored in the \Security folder of this location.
Logon Event: Artifact Analysis, Overview
To analyze this artifact we’ll simply use Windows Event Viewer, the default utility for reading Event logs. Alternatively, if your organization is pulling these specific Event logs into a SIEM (which is very likely to detect local account bruteforce or abuse), this platform could instead be used to read them. Another tool we can utilize for analysis is Microsoft Excel, as Event Viewer allows us to export logs in CSV format.
Logon Event: Artifact Analysis, 4624 Successful Logon
First, we need to understand what information we’re provided in these logs. Let’s start with 4264, which shows successful logons to the system.
One of the most important properties for us to note is the Logon Type, where there are 9 possible values:
2 – Interactive (interactively logged on, meaning a physical logon to the device)
3 – Network (accessed system via network)
4 – Batch (started as an automated batch job)
5 – Service (a Windows service started by service controller)
6 – Proxy (proxy logon; not used in Windows NT or Windows 2000)
7 – Unlock (unlock workstation - think Interactive logon, but unlocking to resume a previous session)
8 – NetworkCleartext (network logon with cleartext credentials)
9 – NewCredentials (used by RunAs when the /netonly option is used)
Logon Event: Artifact Analysis, 4672 Successful Special Logon
Special Logon events are when a user with administrative privileges logs into the system. For example, in the screenshot below I am logging into my own PC. As I am the only user account, I am in the Administrators local group, and therefore show up as a Special Logon, instead of a Successful Logon.
Logon Event: Artifact Analysis, 4672 Successful Special Logon 2
First, let’s look at the Subject information. This tells us the name of the account that is logging into the system. In this case, as the account is a Microsoft account (as opposed to a local account, or domain account) it will show the email address. The Security ID is the computer name, followed by the username. The Logon ID is a useful randomly-generated value that allows us to keep track of logon sessions. When looking at this logon, with the ID 0x25A036D, if we wanted to find the associated logoff with this session then we would look for the same ID in a Logoff log.
Logon Event: Artifact Analysis, 4672 Successful Special Logon 3
And in the bottom half of the display we can see log-related information. Arguably the most important piece of information in here is the Logged timestamp, which tells us when this activity happened.
Logon Event: Artifact Analysis, 4625 Failed Logon
Failed Logon events are very useful for us, especially when dealing with incident response. This is because these logs contain error codes, which help us to understand exactly why the logon attempt failed. The different error codes are:
Logon Event: Artifact Analysis, 4625 Failed Logon
especially when dealing with incident response. This is because these logs contain error codes, which help us to understand exactly why the logon attempt failed. The different error codes are:
A high volume of attempted logins to a disable account (0xc00000072)? Suspicious.
A high volume of attempted logins to an account that doesn’t exist (bad username, 0xC0000006D)? Suspicious. While most SOCs will use this log and the error codes within to generate alerts, there’s definitely value for us as forensic investigators.
Artifact Analysis, 4634 Logoff
Logoffs are simple - they represent, well, a logoff from the current session. Above in the section for Special Logons we discussed Logon IDs to help us track sessions, and how we can marry up logons and logoffs using this value. In the below screenshot is a Logoff event with the same Logon ID from the Special Logon earlier. Interestingly, we can also see ‘Logon Type : 7’ below the second highlighted section, something we didn’t see in the Special Logon earlier - revisiting what we learned about Logon Types in the section for ID 4624, we now learn that this session, between the Special Logon and Logoff, was an ‘Unlock’ where the account had previously logged in but the system was locked. The user then entered their credentials to resume the session, before logging off.
In the bottom section of the main panel we can see the Logged timestamp value, which tells us when this event happened. Using a Logon or Special Logon with a Logoff event, we can tell exactly when an account was accessed, and when the session ended.
Bringing it All Together
Using the information from all of these events we can tell exactly when an account was accessed, and when the session ended. In the next lab you’ll be tasked with identifying which users were accessing a system during a certain time period, including how they connected (logon types), and how long their sessions were to help provide attribution to certain activity.
RDP Usage
Not all systems are accessed interactively, with physical access. As we covered above, there are different logon types, such as network (Type 3). Whether it’s a server, remote desktop, or network storage, Remote Desktop Protocol (RDP) is the protocol that facilitates a GUI-based remote access session between systems. RDP is present by default in all Windows operating systems, however solutions for Linux-based OS’s exist (such as xfreerdp and remmina), so this shouldn’t be treated as a Windows-only feature.
Being able to collect and analyze RDP artifacts can be extremely valuable to help identify what systems have been accessed, by who, and when. As RDP can be abused for lateral movement within an environment, being able to trace an attacker’s steps can be a crucial part of scoping activities during incident response.
Cookies
Coming Soon
Recycle Bin
Coming Soon
