Effective Practice: Security Log Analysis for Windows NT/2000/XP/2003
Submitting Institution:
Yale UniversityDate Submitted:
12/22/2003Category:
AuthenticationSubject Terms:
Authentication , Logging and Monitoring
Background:
Windows NT-derived systems are able to record many kinds of information on user authentication. The logs generated are very detailed but difficult to analyze with the tools provided, which cannot summarize or report on the information that the log contains (other than a primitive filtering function).
I wrote a Perl script, called logger.pl, that can read the security log from one or more Windows machines and summarize the information it contains to produce a report of what it finds, detailing the types of authentications that occurred, which usernames and client machines were involved, and the result. The output can be e-mailed to a given user (with PGP encryption available if PGP is installed on the host system), written to a file, or simply displayed on the screen.
This script is very useful for many purposes, ranging from finding what systems a particular user has "touched" to
summarizing authentication activity over a large number of systems. A recently added function generates a CSV file when multiple systems are scanned that can be imported and analyzed to produce, for example, a 3D graph of authentication activity on a user-to-machine basis.
Logger has been enhanced repeatedly since its creation and now has many optional features that can deliver varying levels of detail in the output. Since others have found it useful, it is distributed freely to educational institutions of all kinds.
The logger Web page <http://pantheon.yale.edu/~kjh27/logger.html> contains full information on its features and use.
Description:
Daily Summarization E-Mail Report
A report summarizing authentication activity in the security log of a given system can be generated and e-mailed to a specified user using the encrypted e-mail feature.
Example command line:
F:\> logger.pl -s dc1.university.edu -mail some.user@university.edu -pgp
This type of summary helps identify unusual activity such as computers that are infected by worms or an intruder attempting to gain unauthorized access to Windows systems in the domain. When run against domain controllers, it is also very effective at finding users attempting to log in with disabled or locked-out accounts.
Below is the e-mail message generated from the above command line on an actual system. Because many users interact with a system and every interaction has an authentication step, output from logger can be large. Results are always sorted so the users/machines with the most entries are at the top. Here, each section of output has been truncated to only show
the first few lines from each section, and some of the data has been sanitized.
********************
(Please note: [...] marks show where output was clipped.
Current time on PC1 is "Mon Oct 27 12:07:04 2003". -- Target machine is PC1.
37092 total entries in log.
Results of log file scan for the following machine names: PC1
There were a total of 1804 user logon events from 67 unique users:
318 console logins (type 2)
717 connections to network resources (type 3) 342 from unlocking the workstation (type 7)
There were 4482 user logoff events.
There were 8721 events of type 680 ("Kerberos logon attempt"). Use the --verbose option for more information.
admin from \\MBB ::> 3990 administrator from \\MBB ::> 3381 Administrator from PC3 ::> 423 User Name from NANCY ::> 230
User.name@university.edu from COMPUTER1 ::> 96 __vmware_user__ from COMPUTER2 ::> 62
user42 from R-66-06 ::> 50 […]
There were 8673 attempts to log on with an invalid username and/or password. (event type 529) UUUU\admin from MBB ::> 2004 UUUU\administrator from MBB ::> 2004 BBBB\admin from MBB ::> 1986 BBBB\administrator from MBB ::> 1378 XTAL122\Administrator from XTAL122 ::> 423 NANCY\User2 Name from NANCY ::> 230 YLSLAW\aa332 from R-66-06 ::> 50 User3\Owner from user3 ::> 45 […]
There were 672 attempts to log on without local logon rights. (event type 534) (unknown)\Domain: from "-" ::> 668 DOMAIN\user1 from PC44 ::> 4
There were 19 attempts to log on using an account with an expired password. (event type 535)
DOMAIN\USER32 from SCANNER4 ::> 1 DOMAIN\user33 from SCANNER4 ::> 1 DOMAIN\user53 from SCANNER4 ::> 1 […]
There were 21 attempts to log on that failed for unknown reasons. (event type 537)
COMPUTER\user1 from COMPUTER ::> 5 COMPUTER1\password1 from COMPUTER1 ::> 5 DOMAIN\password1 from BABYLON ::> 2
[…]
********************
Notice that the machine "MBB" has made thousands of attempts to connect to PC1. This is worth investigating, as described in the next section.
Incident Response
When a particular system or account is involved in an incident, the logger.pl script can be used to extract all related information from the event logs. In the example below, the machine PC1 is scanned to follow up on the suspicious entries for "MBB" from the previous example. The report is printed to the console:
Command line:
F:\> logger -name MBB
This report includes all occurrences of authentication records that include the string "MBB"; this is a very effective way to find more detail on what a suspect user or system was doing.
Complete output: ******************** logger.pl v2.02
by Ken Hoover <ken.hoover@yale.edu> (c) 2003
Options set:
-- Target machine is PC1. -- Searching for the string "MBB".
Reading event log on Windows XP host PC1. 37092 total entries in log.
Read 37092 entries, found 14743 interesting ones...
There were 7371 events of type 680 ("Kerberos logon attempt"). Use the --verbose option for more information.
admin from \\MBB ::> 3990 administrator from \\MBB ::> 3381
There were 7372 attempts to log on with an invalid username and/or password. (event type 529) UUUU\administrator from MBB ::> 2004 UUUU\admin from MBB ::> 2004 BBBB\admin from MBB ::> 1986 BBBB\administrator from MBB ::> 1378 Execution complete! ********************
No successful logins are listed, so this machine brushed off all 8,000 login attempts.
Unfortunately, after some investigation, the NetBIOS name "MBB" turned out to be spoofed by a worm, so the trail nearly ended there. However, by using logger to scan multiple machines for the same string, we could find out how many other systems the worm touched and can verify that they successfully resisted the assault as well.
Note that if PC1 were a Windows Server 2003 machine, it would have recorded the source IP number of the attacking machine in addition to its NetBIOS name.
Rapid Identification of Systems with Suspect Activity
The logger.pl script has the ability to read the logs from any number of systems and aggregate the results. When more than one system is checked, it produces an additional output file in CSV format that contains a table of all users versus the number of times they attempted to connect to each system that was checked. This CSV file may be imported into a graphing or other analysis tool to rapidly identify some kinds of suspicious activities.
For example, a scan of three computers—a.yale.edu, b.yale.edu, and c.yale.edu—is provided here: ******************** C:\perl>logger -n 100 -f my-servers.txt logger.pl Version: 2.5 (October 29, 2003)
by Ken Hoover <ken.hoover@yale.edu> (c) 2003
Options set:
-- 3 machine names read from "my-servers.txt". -- CSV data will be written to xcheck.csv.
-- Reading the most recent 100 records from each target.
WARNING: In order to read client IP information from
======= a Windows Server 2003 target, you must be running this script from a Windows Server 2003 host.
Workstation names will be used instead.
Reading event log on Windows Server 2003 host a.yale.edu. 42012 total entries in log.
Read 100 entries, found 28 interesting ones...
Reading event log on Windows Server 2003 host b.yale.edu. 22189 total entries in log.
Read 100 entries, found 36 interesting ones...
Reading event log on Windows Server 2003 host c.yale.edu. 34502 total entries in log.
Read 100 entries, found 41 interesting ones...
105 interesting entries saved from 3 servers.
There were a total of 48 user logon events from 8 unique users:
40 connections to network resources (type 3) 8 terminal services logons (type 10)
There were 45 user logoff events.
there were 3 more logon events than logoff events.
There were 6 events of type 680 ("Kerberos logon attempt"). Use the --verbose option for more information.
user1 from THE-BEAST ::> 6
There were 6 attempts to log on with an invalid username and/or password. (event type 529)
THE-BEAST\user1 from THE-BEAST ::> 6
Execution complete!
********************
As noted in the output, the CSV file was written to "xcheck.csv" and looks like this: ******************** -=-,user1,user2,user3,user4,user5,user6,user7,user8,user9 a.yale.edu,4,0,2,2,0,0,15,4,1, b.yale.edu,4,0,0,0,1,2,29,0,0, c.yale.edu,4,2,0,0,0,0,35,0,0, ********************
When imported into Excel 2003, this data can be easily graphed. When this data is displayed in a 3D bar graph, the result looks like this:
PLEASE SEE FIGURE 2 BELOW.
Now, it is easy to see that "user7" has had an unusual level of interest in all three servers compared to the others.
Requirements
• Logger was written with ActiveState Perl version 5.6 and should work on any 32-bit Windows system.
• Logger has a dependency on a third-party module called "Crypt::PGPSimple," which assists with PGP functionality and is freely available from the Comprehensive Perl Archive Network (CPAN) <http://www.cpan.org/>. A known-good version of this module is also included with logger for convenience.
Benefits:
• Can analyze logs from any number of systems and "cross-check" the results to find users who interacted with multiple systems
• Can be run locally, enabling security-conscious users to monitor their own systems • Heavily commented Perl source code
Shortcomings:
• Requires administrator-level access to remote system(s) in order to read the log files.
• Scans of non-local machines can take a long time. The limiting factor is primarily the speed of the network.
Future Plans:
Development continues on an as-needed (and time available) basis. Notification of bug fixes and other updates to logger are posted on the Web site when they are released.
References:
http://pantheon.yale.edu/~kjh27/logger.html
Return on Investment:
Apart from the time spent developing the Perl script, this approach did not cost anything and greatly increased our
awareness of authentication activity on Windows systems and our ability to track problems involving user authentication on any 32-bit Windows system.
Replicability:
How replicable is this practice or solution?
Effectiveness:
How effective was this practice or solution?
Notes:
Please e-mail bug reports and/or feature suggestions to <ken.hoover@yale.edu>.
Contact:
This person has agreed to be contacted for more information on this effective practice. Kenneth J. Hoover Systems Programmer Yale University (203) 432-1260 ken.hoover@yale.edu 1 2 3 4 5
Not at all Highly
1 2 3 4 5
