Additional object types and object names Expand / Collapse
Author
Message
Posted 12/16/2016 5:53:50 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/11/2017 4:43:00 PM
Posts: 2, Visits: 6
Found some additional object types while looking through logs of an SCCM server. This is a Windows 2012 server. There is one type of record that did have a different server type. It's at the bottom.

It seems like events that have a - in the object name/type have a number (only value seen in logs so far is 983103) in the desired access where as if there is a value in the object name/type the desired access has text (DELETE, READ_CONTROL). Example " Desired Access: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Create Link"

The object name for events with a non blank object types seems to be descriptive and seems to indicate a very low level of auditing since mutants, sections and semaphore based events are memory object types and not normally something I would expect to see in event logs. I only list one example of the object name for most of these since these seem to be specific resources and the number of possible options is very high.

Object Type: Semaphore Object Name: \BaseNamedObjects\WmiAdapterUninit
Object Type: Event Object Name: \BaseNamedObjects\WmiAdapterDataReady
Object Type: Mutant Object Name: \BasenameObjects\MSDTC_STATS_EVENT
Object Type: Section Object Name: \BasenameObjects\MSDTC_STATS_FILE
Object Type: File Object Name: \Device\ConDrv

#Seem like object type key is a registry key.
Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\{C7568B63-C424-48B3-AB9B-6D1F004D5AFC}


Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive
Post #7294
Posted 1/11/2017 11:26:39 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/11/2017 4:43:00 PM
Posts: 2, Visits: 6
After looking at these log a bit more I suspect that the records with dashes in them are privileges on a specific process ID rather than a standard Windows object.

Just ran across another Object Server (LSA). I may have to do some analysis of these logs to get a more comprehensive view.
OriginatingComputer= User= Domain= EventID=4674 EventIDCode=4674 EventType=16 EventCategory=13056 RecordNumber=4896846 TimeGenerated=1484151224 TimeWritten=1484151224 Level=0 Keywords=0 Task=0 Opcode=0 Message=An operation was attempted on a privileged object. Subject: Security ID: NT AUTHORITY\LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Object: Object Server: LSA Object Type: - Object Name: - Object Handle: 0x0 Process Information: Process ID: 0x258 Process Name: C:\Windows\System32\lsass.exe Requested Operation: Desired Access: 16777216 Privileges: SeSecurityPrivilege

This event id seems to be recording very low level events and I am curious if there would be any odd logs left by credential harvesting software accessing lsass.
Post #7307
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:23pm