Missing Process Name for Event 4656 Expand / Collapse
Author
Message
Posted 2/2/2017 1:07:18 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4, Visits: 6
I am trying to audit all attempts to access sensitive files. I have set up auditing at the folder level and turned on object access:file system and handle manipulation. I am seeing audit failures, but it does not list the process name. I am trying to determine if someone is actually trying to access the folder or if it is a background process and the user is unaware. It is multiple times per day and I would guess that if the user would be getting access denied errors repeatedly that they would not continue to attempt. Is there anyway I can get more information?
Post #7315
Posted 2/15/2017 3:01:45 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4, Visits: 6
Anyone have any suggestions? I can't tell if there is a process that is attempting to access the directory, or if it is the user. These are highly sensitive files and I have no confidence in the audit log.
Post #7318
Posted 3/17/2017 7:47:46 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
Can you show a sample event? One way would be to test the auditing for the exact conditions you want to detect and review the log. You may want to check event ID 4663 instead. From the encyclopedia,"This event is logged between the open (4656) and close (4658) events for the object being opened"..."event 4656 tells you when the object is initially opened and what type of access was requested at that time; 4656 doesn't give you positive confirmation any of the access permissions were actually exercised."
Post #7331
Posted 3/17/2017 11:14:52 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4, Visits: 6
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/16/2017 8:24:50 PM
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DOC.consultbai.local
Description:
A handle to an object was requested.

Subject:
Security ID: BRUBAKER\deb
Account Name: deb
Account Domain: BRUBAKER
Logon ID: 0x6bf30962

Object:
Object Server: Security
Object Type: File
Object Name: E:\ProlawDocs\RAV
Handle ID: 0x0

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes

Access Reasons: SYNCHRONIZE: Denied by DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
ReadData (or ListDirectory): Denied by DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
ReadAttributes: Granted by ACE on parent folder DA;OICI;0x1200a9;;;BU)

Access Mask: 0x100081
Privileges Used for Access Check: -
Restricted SID Count: 0
Event Xml:



4656
1
0
12800
0
0x8010000000000000

35506609


Security
DOC.consultbai.local



S-1-5-21-2093295583-843462373-1182547822-4462
deb
BRUBAKER
0x6bf30962
Security
File
E:\ProlawDocs\RAV
0x0
{00000000-0000-0000-0000-000000000000}
%%1541
%%4416
%%4423

%%1541: %%1802 DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
%%4416: %%1802 DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
%%4423: %%1811 DA;OICI;0x1200a9;;;BU)

0x100081
-
0
0x4



Post #7338
Posted 3/26/2017 3:05:24 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
This looks like the user Deb attempted to read the file Deb and was denied. Is that correct? What actions occurred and what was the outcome?
Post #7344
Posted 3/28/2017 10:45:22 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4, Visits: 6
We have deny access set to a directory that belongs to our HR person, RAV. I don't think that the user BRUBAKER\DEB or BRUBAKER\SDW are purposely trying to access anything in the directory, but that is what I am trying to find out. I have multiple entries where those 2 users show up as being denied. I am not sure what else would cause only 2 users in our organization to show up if they were not purposely trying to access, but it is multiple entries a day so I would also think if you were denied repeatedly, you would stop. I thought maybe it was a mapped drive and virus scan or something that was automatically trying to list the contents, but the audit is not giving any other information.
Post #7351
Posted 4/11/2017 1:44:09 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
I think you should rely on event ID 4663 to make a final determination. What do those logs tell you?
Post #7356
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:08pm