how to recognize open a file or view file... Expand / Collapse
Author
Message
Posted 3/31/2016 2:28:10 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/12/2016 2:43:05 AM
Posts: 4, Visits: 4
after me set audit object access, via network share mode to execute fllow two action:
1、open a file
2、choose this file--> mouse right click-->propertity--> ok or cancel.
after operation, open window security log,i found 4663 logs for upon two action, but the log for action 1 as same as action 2!,
them are both :4663, read data mask=0x1 processid 0x4 processName is null

PS: i already open audit process creation, but when i am via network file share to open a file, the event log 4688 can not be create.

my log detail :
--------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/30/2016 2:26:09 PM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: xxxx
Description:
An attempt was made to access an object.


Object:
Object Server: Security
Object Type: File
Object Name: D:\logtest\ttb.txt
Handle ID: 0xaa8

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask: 0x1
Post #5182
Posted 4/7/2016 7:56:07 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 179, Visits: 0
It looks like you opened a file for reading based on your log. I am not sure what your question is.
Post #5188
Posted 4/11/2016 8:42:34 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/12/2016 2:43:05 AM
Posts: 4, Visits: 4
hi
If you perform a second operation only.(choose a file-->mouse right click-->property),The logs generated and the same as above。

----------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/30/2016 2:26:09 PM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: ST02FILE-TEST.buyabs.corp
Description:
An attempt was made to access an object.

Subject:
Security ID: domain\xxx
Account Name: xxx
Account Domain:
domain
Logon ID: 0xf76566d

Object:
Object Server:
Security
Object Type: File
Object Name: D:\logtest\ttb.txt
Handle ID: 0xaa8

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask: 0x1
Post #5192
Posted 4/11/2016 9:04:25 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/12/2016 2:43:05 AM
Posts: 4, Visits: 4
If you perform a second operation only.(choose a file-->mouse right click-->property),
not only the log that accessMask=0x8 has been create, but also the log that accessMask=0x1 has been create too. the handle id of two log are not same.

for this operation, the user only view file attributes,but them are not view content of file! therefore,i can not identify which operation is performed.
Post #5193
Posted 4/24/2016 7:17:09 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 179, Visits: 0
Are you saying that you cannot distinguish between viewing the file attributes and viewing the file contents? Reading the file attributes can be just as important as reading the file itself if an attacker is trying to determine if file access is being audited or not.
Post #5196
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 1:54am