Security Incidents mailing list archives
RE: Win2k Audit Logs - What happened here?
From: george.wasgatt () insurity com
Date: Mon, 16 Dec 2002 14:19:17 -0500
Two possibilities come to mind: 1 - the user did a search on the tree for a file 2 - the user did a DIR on the tree with subdirectory (i.e. dir /s) -----Original Message----- From: Johnny Walker [mailto:johnny_mamak () yahoo com] Sent: Sunday, December 15, 2002 9:51 PM To: incidents () securityfocus com Subject: Win2k Audit Logs - What happened here? Hi all, We turned on windows 2000 auditing for a particular user on our file server(SERVER1) and found a very interesting audit events, but we don't know what action actually trigered all the events. We noticed that a folder (Group1) and all of its subfolders has been accessed within a 3 econds. Yes just within a few seconds. We though the user(user2) might has been browsing through the folders and subfolders, but it just sound impossible to browser all the folders in less than 3 seconds !!. We also though of the user (user2) might have copy the whole folders and paste it some where... This will sound more logic to do in 3 seconds... So, what you guyz think? . Below is part of the logs.. Full logs can be retrived here: http://www.geocities.com/johnny_mamak/audit1.zip BTW, What we do is we turned on ALL the audit features(yes, ALL) that available for that particular folder, thats why the logs is so many for one event... Really appreciate if you guyz can help me out here.. Thank you. --- Part of the logs ----------------------------------- 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis\KSM New Handle ID: 1432 Operation ID: {0,98849004} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis\Bintang New Handle ID: 1432 Operation ID: {0,98848990} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis\Bintang New Handle ID: 1432 Operation ID: {0,98848985} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis New Handle ID: 1432 Operation ID: {0,98848972} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis New Handle ID: 1432 Operation ID: {0,98848967} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 New Handle ID: 1432 Operation ID: {0,98848954} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 New Handle ID: 1432 Operation ID: {0,98848949} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1 New Handle ID: 1432 Operation ID: {0,98848936} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1 New Handle ID: 1432 Operation ID: {0,98848931} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Win2k Audit Logs - What happened here? Johnny Walker (Dec 16)
- Re: Win2k Audit Logs - What happened here? H C (Dec 16)
- <Possible follow-ups>
- RE: Win2k Audit Logs - What happened here? george . wasgatt (Dec 16)