Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 02 > 120248.html (Request Expert securityfocus.com Support)

RE: Win2k Audit Logs - What happened here?

From: <george.wasgatt(at)insurity.com>
Date: Mon Dec 16 2002 - 14:19:17 EST

Two possibilities come to mind:

   1 - the user did a search on the tree for a file    2 - the user did a DIR on the tree with subdirectory (i.e. dir /s)

-----Original Message-----
From: Johnny Walker [mailto:johnny_mamak@yahoo.com] Sent: Sunday, December 15, 2002 9:51 PM
To: incidents@securityfocus.com
Subject: Win2k Audit Logs - What happened here?

Hi all,

We turned on windows 2000 auditing for a particular user on our file server(SERVER1) and found a very interesting audit events, but we don't know what action actually trigered all the events. We noticed that a folder (Group1) and all of its subfolders has been accessed within a 3 econds. Yes just within a few seconds. We though the user(user2) might has been browsing through the folders and subfolders, but it just sound impossible to browser all the folders in less than 3 seconds !!. We also though of the user (user2) might have copy the whole folders and paste it some where... This will sound more logic to do in 3 seconds...

So, what you guyz think? .

Below is part of the logs..
Full logs can be retrived here:
http://www.geocities.com/johnny_mamak/audit1.zip

Do you need help?X

BTW, What we do is we turned on ALL the audit features(yes, ALL) that available for that particular folder, thats why the logs is so many for one event...

Really appreciate if you guyz can help me out here..  

Thank you.
--- Part of the logs 

12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:

\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis\KSM 
 	New Handle ID:	1432
 	Operation ID:	{0,98849004}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadAttributes 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:

\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis\Bintang 
 	New Handle ID:	1432
 	Operation ID:	{0,98848990}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadData (or ListDirectory) 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:

\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis\Bintang 
 	New Handle ID:	1432
 	Operation ID:	{0,98848985}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadAttributes 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object

Do you need more help?X

Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:

\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis 
 	New Handle ID:	1432
 	Operation ID:	{0,98848972}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadData (or ListDirectory) 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:

\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 \Advantis 
 	New Handle ID:	1432
 	Operation ID:	{0,98848967}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadAttributes 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
 	New Handle ID:	1432
 	Operation ID:	{0,98848954}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL

Can we help you?X

 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadData (or ListDirectory) 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1
 	New Handle ID:	1432
 	Operation ID:	{0,98848949}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadAttributes 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"



" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1
 	New Handle ID:	1432
 	Operation ID:	{0,98848936}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadData (or ListDirectory) 
			
 	Privileges		-
 "
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	562	NT AUTHORITY\SYSTEM	SERVER1	Handle Closed:


" 	Object Server:	Security"



" 	Handle ID:	1432"

Can't find what you're looking for?X




" 	Process ID:	8"



 								
12/11/2002	11:07:10 AM	Security	Success Audit	Object
Access 	560	ANGEL\User2	SERVER1	"Object Open:
 	Object Server:	Security
 	Object Type:	File
 	Object Name:
\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1
 	New Handle ID:	1432
 	Operation ID:	{0,98848931}
 	Process ID:	8
 	Primary User Name:	SERVER1$
 	Primary Domain:	ANGEL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	User2
 	Client Domain:	ANGEL
 	Client Logon ID:	(0x0,0x5E44E8A)
 	Accesses		ReadAttributes 
			
 	Privileges		-

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 16 16:16:14 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library