Event filtering and searching with xpath and powershell
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Event Filtering and Searching with XPath and PowerShell PowerPoint PPT Presentation


  • 47 Views
  • Uploaded on
  • Presentation posted in: General

Event Filtering and Searching with XPath and PowerShell. SCOM ACS bohu žel nebude, zato bude víc ostatního. Ing. Ond řej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint [email protected] | www.sevecek.com. Auditing (2000+).

Download Presentation

Event Filtering and Searching with XPath and PowerShell

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Event filtering and searching with xpath and powershell

Event Filtering and Searching with XPath and PowerShell

SCOM ACS bohužel nebude, zato bude víc ostatního

Ing. Ondřej Ševeček

MCSM:Directory| MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePoint

[email protected] | www.sevecek.com


Auditing 2000

Auditing (2000+)


Granular a uditing 2008 vista

Granular auditing (2008/Vista+)


Event viewer

Eventviewer


Event viewer1

Eventviewer


Event viewer2

Eventviewer


Event viewer and xml

Eventviewer and XML


Xpath

XPath

  • XML "searching" language

  • Quick examples

    //State[@code='CZ']

    //State[population>20]

    /States/State[starts-with(display, 'C') and @continent='NAM']

    //State[position()=3]

    /States/*[starts-with(display, 'C')]

    //display[starts-with(., 'C')]

    //display[starts-with(text(), 'C')]


Xpath1

XPath

  • Event viewer

    must replace < with &lt; or > with &gt;

    must replace <= with &lt;=

    can use only position(), Band() and timediff()

    today: TimeCreated[timediff(@SystemTime) &lt;= 86400000]]

  • WEVTUTIL

    normal operators >, >=, <=, != …


Logon auditing

Logon auditing

  • Account Logon Event

    • "authentication event"

    • when an account database validates credentials

  • Logon Event

    • "session event"

    • every time an Access Token is created or closed


Ntlm and schannel network logon

NTLM and Schannelnetwork logon

App Traffic

Client

2000+

Server2000+

In-band

NTLM hash

SMB

D/COM

Pass-through NTLM hash

D/COM Dynamic TCP

DC2000+

DC2000+


Kerberos network logon basic principle

Kerberos network logon (basic principle)

App Traffic

Client

2000+

Server2000+

In-band

TGS: Server

Kerberos

TGT: User

TGS: Server

DC2000+


Auditing interactive logon

Auditing (Interactive Logon)

SQL

FS

WFE

2

Logon

Client

1

Account Logon

DC


Logon types

Logon types


Status codes

Status codes


Download err exe

Download err.exe

  • version 2008

    • http://www.microsoft.com/en-us/download/details.aspx?id=985

  • most up-to-date version

    • SDK for Windows 8.1

    • http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx


Auditing network session

Auditing (Network session)

2

Logon

SQL

FS

WFE

Client

1

Account Logon

DC


Auditing interactive logoff

Auditing (Interactive logoff)

SQL

FS

WFE

1

Logoff

Client

immediately at logoff

DC


Auditing network session1

Auditing (Network session)

1

Logoff

SQL

FS

WFE

when TCP connection closed

Client

DC


Powershell notes

PowerShell notes

  • Get-WmiObject

    -Computer

    -Query

  • EventCode, InsertionStrings


Timestamps in ldap

Timestamps in LDAP

  • pwdLastSet

  • lastLogon

    • non-replicated

  • lastLogonTimestamp

  • lockoutTime

  • badPasswordTime

    • non-replicated

  • accountExpires


Logon timestamps

Logon timestamps

lastLogon

9:00

DC

lastLogon

11:38

DC

Client

lastLogon

-

DC


Logon timestamps 2003 dfl

Logon timestamps (2003 DFL)

lastLogon

9:00

DC

lastLogonTimestamp

11:00

lastLogon

11:38

DC

Client

lastLogonTimestamp

11:00

lastLogon

-

DC

lastLogonTimestamp

11:00


Lastlogontimestamp

lastLogonTimestamp

  • Requires 2003 domain functional level

  • Updated only once per 14-random(5) days

    • DC=idtt,DC=local

    • msDS-LogonTimeSyncInterval

    • 1+ – minimum without randomization

    • 5+ – randomization starts

    • 14 – the default

    • ...


Authentication failures

Authentication failures

pwd1

pwd2

DC

Client

pwd2

PDC

pwd2

DC


Authentication failures1

Authentication failures

badPasswordCount

7

PDC

badPasswordCount

2

DC

lockoutTime

badPasswordCount

3

DC

Client

badPasswordCount

2

DC


Searching in ldap

Searching in LDAP

  • (name=m*)

  • (&(name=m*)(c=cz))

  • (|(c=cz)(c=de))

  • (!c=cz)

  • (whenCreated>=20080323205258.0+1200)

  • (whenCreated>=20080323205258.0Z)

  • (pwdLastSet>=128962296000000000)

  • (userAccountControl:1.2.840.113556.1.4.803:=2)


Powershell and datetime

Powershell and DateTime

  • get-date

  • [DateTime]::Parse("2011-05-28")

  • (get-date).AddDays(-50)

  • ((get-date) –[DateTime]::Parse("1601-01-01")).Ticks

  • ([DateTime]::Parse("2010-11-28") – [DateTime]::Parse("1601-01-01")).Ticks

  • ((get-date).AddDays(-50) – [DateTime]::Parse("1601-01-01")).Ticks


Event filtering and searching with xpath and powershell

Kurzy Počítačové školy Gopas na

www.gopas.cz

GOC170 - AD Monitoring with SCOM and ACS

GOC171 - Active Directory Troubleshooting

GOC172 - Kerberos Troubleshooting

GOC173 - Enterprise PKI

GOC174 - SharePoint Architecture and Troubleshooting

GOC175 - Advanced Security

GOC169 - Auditing ISO/IEC 2700x

Získejte tričko TechEd 2014

za vyplněný hodnotící dotazník.

Počítačová škola Gopas – Vaše IT škola života


  • Login