Empty Security Event Log

Printable View

January 20th, 2009, 10:53 PM
Cheap Scotch Ron

Empty Security Event Log

While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada. :confused: Has anyone ever seen this before? My radar is up.

I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.

Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.

Several contractors use this workstation. None have admin privs.

Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.

Any comments/suggestions would be appreciated.

csr
January 21st, 2009, 01:08 PM
morganlefay

Any other groups\users in the local admin group??

Is it possible they "cracked" the local admin password?? Physical access and all :shock:

covering tracks comes to mind here

MLF
January 21st, 2009, 02:47 PM
NukEvil

Yeah, sounds like someone cracked the admin password, then erased the logs to cover their tracks. I'd disable the CD drive, floppy drive, and any bootable device (even USB)other than the harddrive. Normally, I end up taking the hardware itself out on computers issued to contractors.

Either that, or it's a simple policy violation, where someone who knew the Admin password gave it to whoever cleared the logs to hide the fact that he logged into the Admin account in the first place. Find out who gave out the password, and give that person a stern talking to. What usually happens is that someone who shouldn't have admin access probably told an admin that "I need admin access to do my job properly", and things fell apart in short order.

Oh, and change the admin password if you haven't already (which I'm sure you have).
January 21st, 2009, 02:48 PM
morganlefay

Just a thought....its not being filtered is it???

Something to check

MLF
January 21st, 2009, 02:49 PM
Cheap Scotch Ron

No. only admin in admin.

Quote:

Is it possible they "cracked" the local admin password??

That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.

I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
January 21st, 2009, 02:52 PM
morganlefay

you may have missed my post...as I think we may have been posting at the same time

The log is not being filtered is it?/

MLF
January 21st, 2009, 03:00 PM
Cheap Scotch Ron

Quote:

The log is not being filtered is it?/

No. (Didnt know you could do that. Had to research it. Cool. Could have used that in the past. Learn something new everyday! Thx).
January 21st, 2009, 03:02 PM
Cheap Scotch Ron

Quote:

Either that, or it's a simple policy violation,

I am hoping this is the issue. Easier to deal with. ;)
January 21st, 2009, 03:03 PM
morganlefay

I use it all the time to search out stuff...and some time forget to turn off the filter...

Doesnt account for the change in local policy though...

single malt morgan ;)
January 21st, 2009, 05:18 PM
SirDice

If you manually clear the security log, there will always be one message left. This says who cleared it. If that one doesn't exist either the security logs were never used or the eventlog got corrupted.
January 21st, 2009, 07:11 PM
Cheap Scotch Ron

Interesting, especially since I know they were previously enabled. Any idea how that (enabled, then empty and disabled) could be done?

With the machine on, but no LAN connectivity, I am getting audit failures...

The Windows Firewall has detected an application listening for incoming traffic.

service is svchost.exe
nothing at all in c:\windows\system32\Logfiles\W3SVC1
User Account is NETWORK SERVICE

The time of the failures as well as the port (all UDP) seem to be random (ranging from 68 - 65313).

IIS is NOT running
avast is running and checking for most of the popular P2P processes. No hits.

Found DISCover Stream Hub in the exceptions tab under windows firewall...
Beginning to think someone was playing games when they were supposed to be working.

I was hoping to find out who did this, but I dont really have the time to spend on this. Gonna need this machine back online by the weekend. Gonna re-image.

Any things to check to try to identify the varmint before I wipe it clean?
January 21st, 2009, 07:18 PM
morganlefay

http://support.microsoft.com/kb/314056

I vaguely remember some scumware that would tie itself to this service

MLF
January 21st, 2009, 09:56 PM
nihil

Hi CSR

This is probably total crap, but what are your settings for that log? Like I seem to recall you set a size and what to do when that limit is reached.

As I recall one of the options is to manually clear it?

Maybe it popped up that option with sufficient authority to do it if the (l)user clicked "yes" ????

Anyways, my personal advice is to execute 1 in 10 of them "pour encourager les autres", as my French and Belgian colleagues have advised in the past. :D
January 21st, 2009, 10:07 PM
Cheap Scotch Ron

Set to "Overwrite events older than 14 days.". I run a weekly grep every weekend and squirrel the results away for "awhile". I dont like the size limit. You could blow a reasonable size limit with a single brute force attack.

Yeah, I would like to use the manually clear option, but I'm too lazy to log in to each machine to reset them. :p Hence the weekly grep and 14day rewrite.

Based on the DLL I found running, I am pretty sure I know who the varmint is. Waiting til she shows up on Friday. The trial will be quick. The execution painless (for me). In the meantime, I am sharpening the guillotine.

"Off with her head" :fpissed:
January 22nd, 2009, 09:12 PM
westin

Quote:

Originally Posted by Cheap Scotch Ron

No. only admin in admin.

That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.

I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".

There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.

So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??

Edit:

Didn't read the rest of the posts before posting... :-P
January 23rd, 2009, 04:19 AM
Cheap Scotch Ron

Yes, I have winternals erd commander. Very useful.

However, as you noted, it only allows you to change the password, not crack it. The password was not changed. Water under the bridge at this point. I re-imaged it and lost all forensic data. I did however confront the suspected varmint. She came clean. She's gone.

Thanks for the post.

csr