Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Event Logs in Eventvwr. Something to be concerned about?


  • Please log in to reply
10 replies to this topic

#1 Thelps

Thelps

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 30 May 2016 - 09:21 PM

Following is the Eventvwr event log, which occurs multiple times per day, quite frequently. The Account name has been changed.

 

The PID indicates Local Security Authority Process with sub-services of CNG Key Isolation, Encrypting File System (ESF) and Security Accounts Manager.

 

--------------------------------------------------------------------------------------

 
An account was successfully logged on.
 
Subject:
Security ID: SYSTEM
Account Name: PCNAME$
Account Domain: WORKGROUP
Logon ID: 0x3E7
 
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
 
Impersonation Level: Impersonation
 
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
 
Process Information:
Process ID: 0x2d8
Process Name: C:\Windows\System32\services.exe
 
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
 
Detailed Authentication Information:
Logon Process: Advapi  
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
 
This event is generated when a logon session is created. It is generated on the computer that was accessed.
 
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
 
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
 
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
 
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
 
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
 
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
 
-------------------------------------------------------------------------------------------------------

 

 It's always Advapi.exe.

 

Is this normal behavior or something to be concerned about? My knowledge of Eventvwr is limited.

 

Is there some way I could confirm the cause of these logs?

 

Much appreciated and regards.


Edited by Thelps, 30 May 2016 - 09:24 PM.


BC AdBot (Login to Remove)

 


#2 Daydreamed

Daydreamed

  • Members
  • 349 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Dimension C-137
  • Local time:09:35 AM

Posted 30 May 2016 - 10:17 PM

I suggest you post here


- Daydreamed


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 31 May 2016 - 07:00 AM

Yes, it is normal behavior on a Windows machine.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 01 June 2016 - 12:29 PM

Could you provide a full explanation as to what this Log Event indicates? My search engine research has yielded very inconclusive results.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 01 June 2016 - 01:58 PM

Depends on what do you know about Windows.

Do you know about services and that they run under a user account different from your user account?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 01 June 2016 - 05:09 PM

I'm studying a general IT course at the moment which features Windows. The course is not very in-depth so I have a somewhat intermediate knowledge of Windows.
 
I'm very familiar with services.msc but I am unaware of the details of how Services operate within Windows and how the OS manages them.
 
Could you go into detail?


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 01 June 2016 - 05:57 PM

Services, as you see them in services.msc, are grouped together in processes (svchost.exe), started by process services.exe.
All processes in Windows run under a user account. Windows services run under accounts SYSTEM, LOCAL SERVICE or NETWORK SERVICE.
When a service is started, Windows creates a logon session for the username associated with that service.
This logon is recorded in the security eventlog with EventID 4624 and logon type 5.

Edited by Didier Stevens, 01 June 2016 - 06:10 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 01 June 2016 - 06:19 PM

Are NETWORK SERVICE accounts accessible via Windows' built-in network applications (Remote Desktop etc.)?

 

I'm interested because, in the event my passwords are compromised (they can be compromised, though I'd rather not discuss how here) I'm keen to minimize the network-facing features of Windows to lower or minimise potential attack surface.

 

My overall priorities being keeping the contents of my PC and its internet activities as private as possible.



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 02 June 2016 - 09:50 AM

NETWORK SERVICE is not a group of accounts. It's a single account.
It was introduced to be able to run Windows services without the full privileges of the SYSTEM account.
This account has minimum privileges on the local computer.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Thelps

Thelps
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 03 June 2016 - 09:43 AM

I've received advice online that Advapi can sometimes be indicative of malware on the Windows machine.

 

What is Advapi and what is it doing performing all these logons?

 

How could I go about an advanced malware scan of my Windows machine? I already run a firewall, have an AV installed, run msert.exe regularly and have a complementary anti-malware program scanning daily.

 

How could I go about limiting or preventing Windows communicating with Microsoft servers? If I am dealing with a corrupt Microsoft employee at the company then I need to find a way to prevent Microsoft knowing what's on my PC.

 

My goal is to be able to keep the contents of my PC private and my internet browsing history hidden from my ISP and hackers.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 04 June 2016 - 06:38 AM

Advapi32.dll is a genuine Windows dll that implements authentication functions for the Windows API. It's a critical component of Windows and its presence is not an indicator of malware. Don't try to remove it or you'll break your Windows machine.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users