SimWitty Internship: Week 14

Monitoring is definitely the hard part. There is so much to watch on just one system, To name just a few examples:
File system changes
Account/Group changes
Directory service changes
Registry changes
Running processes/services
Now multiply that by the number of systems on the network and you have a real nightmare on your hands. The need for a Security Information Management System is pretty apparent. On my systems, I could see file system changes and account changes, etc. pretty easily. I doubt this would be the case on production systems where all kinds of activity is taking place.

Some clues that bad things were going on was fairly obvious: psexec is plainly visible in the system event log on srv-DC, it logs every time it starts or stops, but no information regarding what it was doing. Netcat all of a sudden showed up in the %SystemRoot% on srv-DC, Directories were added to C:\Program Files on wks-XP1, etc. I'm sure that the new event logging system on the Server 2008 OS is much better, the key is being able to find what you need among all the information. The following shows counts and types of activity in just one attack session from the two servers:


srv-DC
ID   Task Cat.                  Occurrences
------------------------------------------------------------------------------------------------------------
1102 Log clear                            1
4624 Logon                              360
4634 Logoff                             358
4648 Logon                                8
4662 Directory Service Access             3
4672 Special Logon                      284
4768 Kerberos Authentication Service     35
4769 Kerberos Service Ticket Operations 139
4776 Credential Validation                2
.......................................1190 tot

srv-SNORT
ID   Task Cat.              Occurrences
----------------------------------------------------------------
1102 Log clear                       1
4624 Logon                           2
4634 Logoff                          2
4648 Logon                           1
4656 Registry                        6
4658 Other Object Access Events      5
4662 Other Object Access Events     10
4663 Registry                        2
4672 Special Logon                   2
4688 Process Creation               26
4689 Process Termination            27
4696 Process Creation               17
5156 Filtering Platform Connection 215
5158 Filtering Platform Connection  45
...................................361 tot


I'm surprised that I didn't see any process creation/termination events on srv-DC... I thought I had auditing set properly. When I looked closer, I had auditing set in the GPO for the SimWitty OU but it apparently didn't affect srv-DC. I'm not sure if it was overridden by the local security policy or the default domain controller policy or what. I guess I should have been sure I turned auditing on everywhere. It's plain to see why they say one of the biggest reasons for breaches is through simple misconfiguration. The more complex a system is, the harder it is to be sure you have every little aspect of configuration right.