Analysis of Windows security log under domain control scenario--Audit authentication behavior and History of commands

First, domain-controlled Windows security log basic operations

1. Open PowerShell or cmd

1 #gpedit. msc

To open the configuration:

Policy configuration on account security where to configure the account

2. Open Control Panel, System and security, Event Viewer->windows Log--Security:

I hope the time is long enough to view the log

Select the filter to filter this article:

To see this is a very common one, of course, audit success is also very useful, that is, you know that time is determined to use when the invasion.

2. Scene Analysis:

2.1. Domain account is locked:

Cause: It could be a virus, a script, a scheduled task locked in the account name, or a hacker attack that caused the explosion.

Tracking ideas: Find the time ID4740, this is the domain account is locked flag, you can find some information, lucky words can be located to cause this problem IP or process. At a minimum, you can determine the exact lockout time, and then backtrack to the authentication attempt message ID4625 of the previous audit failure, to locate the source IP or host name. The next step is to troubleshoot the associated IP or host name.

############################################################ #科普小知识 ############################################# ################

@1, log format introduction:

General domestic is the Chinese version of Windows, so there is no English can not understand the problem, need to pay attention to the following fields (especially red):

(1) Event ID, of course, this is the filter condition 4625

(2) keywords, audit success or failure in fact, this is often a filter condition (corresponding English success and failure)

(3) User: Very Important

(4) Computer name and description

(5) Account name, account domain, login ID and login type (will be expanded after login type)

(6) Login failed account name, domain (these are to compare and lock the consistency)

(7) failure Reason: 0xc0000064 user does not exist, 0xC000006A password user name mismatch (most common two)

(8) Process information, network information, etc.

@2, Login type introduction:

Type 2 Interactive login, local or KVM

TYPE3 network logins Connect shared folders, shared printers, IIS, and so on.

Type4 Batch logon Windows scheduled task runs

Type5 Service

Type7 Unlock login screen protection unlock etc Unlock class Login

Type8 Network Clear Text Basic Life of IIS and ADVAPI

TYPE9 new credential with netonly runas command execution

TYPE10 Remote interactive RDP Remote Assistance and much more

TYPE11 Cache Interaction

############################################################ #科普小知识 ############################################# ################

2.2 Know that they are black at a certain time period, check the login account for this period

Trace the idea: find the corresponding time log audit log, tracing source IP. What do you do when you check this IP login account?

1 get-History Search 2 clear-historyclears  a single command from historical 3 invoke-  4 add-history add command to History

#windows下netstat查看进程和端口以及连接情况: "XXX"
"XXX"

Analysis of Windows security log under domain control scenario--Audit authentication behavior and History of commands