This artifact will extract condensed information on logon / logoff events.
Security channel - EventIDs in 4624, 4625, 4634, 4647, 4648, 4672, 4778, 4779, 4800, 4801, 4802, and 4803.
Exclude by default events related to:
Inspired from work by Brian Maloney and @0x47617279.
Thanks to Mike Cohen (scudette) for its help optimizing the query.
name: Windows.EventLogs.CondensedAccountUsage
description: |
This artifact will extract condensed information on logon / logoff events.
Security channel - EventIDs in 4624, 4625, 4634, 4647, 4648, 4672, 4778,
4779, 4800, 4801, 4802, and 4803.
Exclude by default events related to:
- UserName egal to SYSTEM, ANONYMOUS LOGON, LOCAL SERVICE, NETWORK
SERVICE, or %ComputerName%$.
- Domain egal to NT AUTHORITY, Font Driver Host, or Window Manager.
Inspired from work by Brian Maloney and @0x47617279.
Thanks to Mike Cohen (scudette) for its help optimizing the query.
author: Thomas DIOT (Qazeer)
type: CLIENT
parameters:
- name: SecurityEvtx
default: '%SystemRoot%\System32\Winevt\Logs\Security.evtx'
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET DomainNameLookup <= dict(
`4624` = 'TargetDomainName',
`4625` = 'TargetDomainName',
`4634` = 'TargetDomainName',
`4647` = 'TargetDomainName',
`4648` = 'SubjectDomainName',
`4672` = 'SubjectDomainName',
`4778` = 'AccountDomain',
`4779` = 'AccountDomain',
`4800` = 'TargetDomainName',
`4801` = 'TargetDomainName',
`4802` = 'TargetDomainName',
`4803` = 'TargetDomainName')
LET UserNameLookup <= dict(
`4624` = 'TargetUserName',
`4625` = 'TargetUserName',
`4634` = 'TargetUserName',
`4647` = 'TargetUserName',
`4648` = 'SubjectUserName',
`4672` = 'SubjectUserName',
`4778` = 'AccountName',
`4779` = 'AccountName',
`4800` = 'TargetUserName',
`4801` = 'TargetUserName',
`4802` = 'TargetUserName',
`4803` = 'TargetUserName')
LET LogonIdLookup <= dict(
`4624` = 'TargetLogonId',
`4625` = '-',
`4634` = 'TargetLogonId',
`4647` = 'TargetLogonId',
`4648` = 'SubjectLogonId',
`4672` = 'SubjectLogonId',
`4778` = 'LogonID',
`4779` = 'LogonID',
`4800` = 'TargetLogonId',
`4801` = 'TargetLogonId',
`4802` = 'TargetLogonId',
`4803` = 'TargetLogonId')
LET LogonDescriptionLookup <= dict(
`4624` = 'ACCOUNT_LOGGED_ON',
`4625` = 'ACCOUNT_FAILED_TO_LOGON',
`4634` = 'ACCOUNT_LOGGED_OFF',
`4647` = 'ACCOUNT_INITITATED_LOGOFF',
`4648` = 'LOGON_ATTEMPT_EXPLICIT_CREDENTIALS',
`4672` = 'PRIVILEGED_LOGON',
`4778` = 'SESSION_RECONNECTED',
`4779` = 'SESSION_DISCONNECTED',
`4800` = 'WORKSATION_LOCKED',
`4801` = 'WORKSATION_UNLOCKED',
`4802` = 'SCREENSAVER_INVOKED',
`4803` = 'SCREENSAVER_DISMISSED')
LET LogonTypeLookup <= dict(
`0` = 'SYSTEM_LOGON',
`2` = 'INTERACTIVE_LOGON',
`3` = 'NETWORK_LOGON',
`4` = 'BATCH_LOGON',
`5` = 'SERVICE_LOGON',
`7` = 'UNLOCK_LOGON',
`8` = 'NETWORK_CLEARTEXT_LOGON',
`9` = 'NEW_CREDENTIALS',
`10` = 'REMOTE_INTERACTIVE_LOGON',
`11` = 'CACHED_INTERACTIVE_LOGON',
`12` = 'CACHED_REMOTE_INTERACTIVE_LOGON',
`13` = 'CACHED_UNLOCK_LOGON')
SELECT
timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
System.Computer as Computer,
System.EventID.Value as EventID,
get(item=LogonDescriptionLookup,
member=str(str=System.EventID.Value)) as Description,
get(item=EventData,
member=get(item=DomainNameLookup,
member=str(str=System.EventID.Value))) AS DomainName,
get(item=EventData,
member=get(item=UserNameLookup,
member=str(str=System.EventID.Value))) AS UserName,
get(item=EventData,
member=get(item=LogonIdLookup,
member=str(str=System.EventID.Value))) AS LogonId,
if(condition= System.EventID.Value = 4648,
then= join(array=[EventData.TargetDomainName,
EventData.TargetUserName],
sep='\\'),
else= '-') as CredentialsUsedFor4648,
if(condition= EventData.LogonType,
then= EventData.LogonType,
else= '-') as LogonType,
if(condition= EventData.LogonType,
then= get(item=LogonTypeLookup,
member=str(str=EventData.LogonType)),
else= '-') as LogonTypeDescription,
if(condition= EventData.AuthenticationPackageName,
then= EventData.AuthenticationPackageName,
else= '-' ) as AuthenticationPackageName,
if(condition= EventData.IpAddress,
then= EventData.IpAddress,
else= if(condition= EventData.ClientAddress,
then= EventData.ClientAddress,
else= '-')) as IpAddress,
if(condition= EventData.WorkstationName,
then= EventData.WorkstationName,
else= if(condition= EventData.ClientName,
then= EventData.ClientName,
else= '-')) as ClientName
FROM parse_evtx(filename=expand(path=SecurityEvtx))
WHERE System.Provider.Name =~ "Security-Auditing"
AND System.EventID.Value in (4624, 4625, 4634, 4647, 4648, 4672, 4778, 4779, 4800, 4801, 4802, 4803)
AND NOT UserName =~ '^(SYSTEM|ANONYMOUS LOGON|LOCAL SERVICE|NETWORK SERVICE)$'
AND NOT UserName = expand(path='%ComputerName%$')
AND NOT DomainName =~ '^(NT AUTHORITY|FONT DRIVER HOST|WINDOW MANAGER)$'