I'd like to be able to proactively watch for these events in the security logs of about 50 computers in one domain.
This product looks good: http://www.eventlogxp.com/ Can anyone recommend it or a competitor? On Thu, Oct 30, 2008 at 4:59 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote: > I agree but rootkits can hide the true intention of what is going on in > the system and subvert anything you are seeing in the gui or logs, and > its going to be pretty hard to tell what is legit and what isn't when > you have a kernel rootkit on your system. Abeit there might be a > few-tell-table signs. If its been compromised, incident response > measures should be put in place the system quarantined, wiped and > rebuilt from trusted media. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 29, 2008 7:46 PM > To: NT System Admin Issues > Subject: RE: Unknown account created and added to local admins group > > Let's not get carried away with talk of a "rootkit" here. > > It could be a compromise. But rootkits are there to change the behaviour > of the Windows kernel (hence "root" kit). For all we know, this is just > a process running as LocalSystem (e.g. any number of services) that > performed the changes. Still looks like a compromise. > > Cheers > Ken > > > -----Original Message----- > > From: Phil Brutsche [mailto:[EMAIL PROTECTED] > > Sent: Thursday, 30 October 2008 6:17 AM > > To: NT System Admin Issues > > Subject: Re: Unknown account created and added to local admins group > > > > I bet that's what the event log would look like if a rootkit running > as > > SYSTEM added local administrator accounts... > > > > Clubber Lang wrote: > > > Thanks, James. Yeah, the user was the same for all events: NT > > > AUTHORITY\SYSTEM > > > > > > 624 - User Account Created - 9:19:13 AM > > > 626 - User Account Enabled - 9:19:13 AM > > > 642 - User Account Changed - 9:19:13 AM > > > 628 - User Account Password Set - 9:19:13 AM > > > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > > > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > > > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > > > 630 - User Account Deleted - 9:21:28 AM > > > > -- > > > > Phil Brutsche > > [EMAIL PROTECTED] > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
