Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Havealoha
Havealoha
New Member
Member since:
04-17-2018
06-05-2020
Community Statistics
| Posts | 2 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 04-17-2018 |
Activity Feed
- Posted Re: Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN on Security. 04-30-2018 09:05 PM
- Posted Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN on Security. 04-18-2018 05:45 AM
- Tagged Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN on Security. 04-18-2018 05:45 AM
- Tagged Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN on Security. 04-18-2018 05:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-30-2018
09:05 PM
I've got a good start on 4738 at SO https://stackoverflow.com/questions/50083944/powershell-how-to-use-findonecontext-locatoroptions-flag-avoidself-or-anot
For additional 4768 data, the original smart card login event, task xml, powershell and ultimate event are below. Similar methods were used for 4738 as posted on SO above. Feel free to make any code contributions in the comments. The code could use some error handling and try catches.
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2018-05-01T05:01:26.527879000Z" />
<EventRecordID>588856793</EventRecordID>
<Correlation />
<Execution ProcessID="460" ThreadID="1364" />
<Channel>Security</Channel>
<Computer>workstation.contoso.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">havealoha</Data>
<Data Name="TargetDomainName">contoso.com</Data>
<Data Name="TargetSid">S-1-5-21-##</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-##</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:##</Data>
<Data Name="IpPort">35665</Data>
<Data Name="CertIssuerName">CONTOSO-CA</Data>
<Data Name="CertSerialNumber">##</Data>
<Data Name="CertThumbprint">##</Data>
</EventData>
</Event>
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2018-04-29T22:28:37.297254</Date>
<Author>Contoso\havealoha</Author>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4768)]]
and
*[EventData[Data[@Name='PreAuthType'] and (Data='15')]]
or
*[EventData[Data[@Name='PreAuthType'] and (Data='16')]]
</Select></Query></QueryList></Subscription>
<ValueQueries>
<Value name="certIssuerName">Event/EventData/Data[@Name="CertIssuerName"]</Value>
<Value name="certSerialNumber">Event/EventData/Data[@Name="CertSerialNumber"]</Value>
<Value name="eventRecordID">Event/System/EventRecordID</Value>
<Value name="eventTimeCreated">Event/System/TimeCreated/@SystemTime</Value>
<Value name="targetUserName">Event/EventData/Data[@Name="TargetUserName"]</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>powershell.exe</Command>
<Arguments>C:\Windows\AuditSecurityEventID4768.ps1 -targetUserName $(targetUserName) -eventTimeCreated $(eventTimeCreated) -eventRecordID $(eventRecordID) -certIssuerName $(certIssuerName) -certSerialNumber $(certSerialNumber)</Arguments>
</Exec>
</Actions>
</Task>
Param(
[string]$targetUserName,
[string]$eventTimeCreated,
[string]$eventRecordID,
[string]$certIssuerName,
[string]$certSerialNumber
)
$nl = [Environment]::NewLine
if ($certIssuerName -like "*Contoso-CA*") {
$cert = certutil -view -restrict "Serial Number=$($certSerialNumber)" -out "upn,serialnumber,distinguishedname,commonname" | Select-String "Row 1" -Context 0,5
$cert = $cert -replace "> Row 1:", "Smart Card Certificate Information:"
}
if ($cert -like "*$($targetUserName)*") {
$entryType = "Information"
}
else {
$entryType = "Warning"
}
if ([System.Diagnostics.EventLog]::SourceExists("Contoso Security") -eq $False) {
New-EventLog –LogName "Application" –Source "Contoso Security"
}
Write-EventLog -LogName "Application" -Source "Contoso Security" -EntryType $entryType -EventID 64768 -Message "$nl Target User Name: $targetUserName $nl Event Date: $eventTimeCreated $nl Referring Event ID: $eventRecordID $nl $cert"
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Contoso Security" />
<EventID Qualifiers="0">64768</EventID>
<Level>4</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-01T05:01:22.000000000Z" />
<EventRecordID>1115534</EventRecordID>
<Channel>Application</Channel>
<Computer>workstation.contoso.com</Computer>
<Security />
</System>
<EventData>
<Data>Target User Name: havealoha Event Date: 2018-05-01T05:01:19.168Z Referring Event ID: 588856789 Smart Card Certificate Information: User Principal Name: "havealoha@Contoso.com" Serial Number: "##" Issued Distinguished Name: "CN=havealoha, OU=Accounts, DC=contoso, DC=com" Issued Common Name: "havealoha"</Data>
</EventData>
</Event>
... View more
04-18-2018
05:45 AM
We disable User Principal Name Mapping, enable User Name Hints and modify altsecurityidenties attribute with the same PIV properties for multiple user objects, IT privileged, IT less privileged and for assuming a users identity instead of asking for their password or resetting it.
Because we do this, we audit whenever a ticket is granted based on smartcard and whenever anyone edits the altsecurity attribute. We also audit processes so we know what processes were launched by the IT staff member that has assumed an identity.
Even after enabling advanced account management auditing, when a users object altsecurityidentities attribute is modified, there is an event but the event does not contain that attribute. You have to use repadmin to see if that attribute was the one modified.
We also enable advanced Kerberos Authentication Service auditing but the only data that relates to the smartcard certificate is issuer, serial number, and thumbprint. It is not readily apparent whos certificate was used without cross referencing the PIV CA.
Is there a way to add additional attributes to security event ID 4738? Is there a way to get the CN/Subject into Security event ID 4768? We need to be able to tie this all together so that we can be better informed,
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
