Security Basics mailing list archives

Re: Windows2000 Security event logs

From: "Robert McIntyre" <robert.mcintyre () earthmail com>
Date: Fri, 17 Sep 2004 09:22:29 -0700

Hi All,

Has anyone seen this type of Windows Security Event Log activity before?
This was found on multiple computers.... All within a 2 minute time
frame...same username and domain.

EVENT ID: 576
Special privileges assigned to new logon:
User Name: username
Domain:
Logon ID: (0x0,0x5F893A8)
Assigned: SeChangeNotifyPrivilege

EVENT ID: 540
Successful Network Logon:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

EVENT ID: 538
User Logoff:
User Name: username
Domain: DOMAIN
Logon ID: (0x0,0x5F893A8)
Logon Type: 3

One of the computers provided a source IP address so I have checked the
computer of the user in question for root kits, trojans, ect. It is
fully patched and has AV up to date

thanks,
Dave


I found an article from WindowsITPro.com formally winnetmag.com.  What you
are seeing is someone logging onto your server that has the following user
right: Bypass traverse checking (SeChangeNotifyPrivilege)EVENT ID: 576


This is then followed by EVENT ID: 540 or 528

The article is titled, "Win2K Security Log Roundup".  Normally user rights
such as SeChangeNotifyPrivilege are not audited so you only see them when
the user logs on.


What a long strange trip this will be


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

Windows2000 Security event logs Dave Gonsalves (Sep 15)
- Re: Windows2000 Security event logs Times Enemy (Sep 16)
- <Possible follow-ups>
- RE: Windows2000 Security event logs Roger A. Grimes (Sep 16)
  - Re: Windows2000 Security event logs Charles Otstot (Sep 17)
- Re: Windows2000 Security event logs Robert McIntyre (Sep 18)