|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2017 4:09:54 PM
Posts: 3,
Visits: 9
|
|
Found some additional object types while looking through logs of an SCCM server. This is a Windows 2012 server. There is one type of record that did have a different server type. It's at the bottom.
It seems like events that have a - in the object name/type have a number (only value seen in logs so far is 983103) in the desired access where as if there is a value in the object name/type the desired access has text (DELETE, READ_CONTROL). Example " Desired Access: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Create Link"
The object name for events with a non blank object types seems to be descriptive and seems to indicate a very low level of auditing since mutants, sections and semaphore based events are memory object types and not normally something I would expect to see in event logs. I only list one example of the object name for most of these since these seem to be specific resources and the number of possible options is very high.
Object Type: Semaphore Object Name: \BaseNamedObjects\WmiAdapterUninit
Object Type: Event Object Name: \BaseNamedObjects\WmiAdapterDataReady
Object Type: Mutant Object Name: \BasenameObjects\MSDTC_STATS_EVENT
Object Type: Section Object Name: \BasenameObjects\MSDTC_STATS_FILE
Object Type: File Object Name: \Device\ConDrv
#Seem like object type key is a registry key.
Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\{C7568B63-C424-48B3-AB9B-6D1F004D5AFC}
Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2017 4:09:54 PM
Posts: 3,
Visits: 9
|
|
After looking at these log a bit more I suspect that the records with dashes in them are privileges on a specific process ID rather than a standard Windows object.
Just ran across another Object Server (LSA). I may have to do some analysis of these logs to get a more comprehensive view.
OriginatingComputer= User= Domain= EventID=4674 EventIDCode=4674 EventType=16 EventCategory=13056 RecordNumber=4896846 TimeGenerated=1484151224 TimeWritten=1484151224 Level=0 Keywords=0 Task=0 Opcode=0 Message=An operation was attempted on a privileged object. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Object: Object Server: LSA Object Type: - Object Name: - Object Handle: 0x0 Process Information: Process ID: 0x258 Process Name: C:\Windows\System32\lsass.exe Requested Operation: Desired Access: 16777216 Privileges: SeSecurityPrivilege
This event id seems to be recording very low level events and I am curious if there would be any odd logs left by credential harvesting software accessing lsass.
|
|
|
|