@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Active Directory and ADTimeline(2)

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Summary:

  • I created an Alice account, added it to the Domain admins group, and confirmed it on the timeline.
  • Next, I created a Bob account and logged on to the domain, but I could not confirm it in the timeline (Note:Since Bob does not have high privilege, it is not displayed in ADTimeline. You can display Bob in the timeline using $groupscustom definition.)

----------

[Note]Please be aware that the verification method not be sufficient.

Continuing from last week, I would like to check what can be investigated by using ADTimeline.

I have newly constructed an Active Directory environment with two DCs. (DC1, DC2 and PC1)

First, I created users Alice and Bob.

DC1: 2/11/2019 7:05:45 AM EID 4720 A user account was created.(Alice)
DC2: 2/11/2019 7:05:45 AM EID 4720 A user account was created.(Bob)

I checked the DC1 and DC2 timelines, I found a record related to Alice account, but I could not find record related to Bob account. Interesting.

f:id:hideakii:20190217090609p:plain

Next, I added the Alice account to the Domain Admins group.

DC1: 2/11/2019 7:08:50 AM EID 4728 A member was added to a security-enabled global group.(Alice⇒Domain Admins)

In the timeline, there is a record related to the Domain Admins group and the "adminCount" of the Alice account.

f:id:hideakii:20190217091452p:plain

ftimeLastOriginatingChange : 2019-02-11T07:08:50Z
Name : Domain Admins
pszAttributeName : member
ObjectClass : group
DN : CN=Domain Admins,CN=Users,DC=example,DC=local
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : Domain Admins
dwVersion : 1
WhenCreated : 2019-01-20 19:20:35Z
Member : CN=alice,CN=Users,DC=example,DC=local
ftimeCreated : 2019-02-11T07:08:50Z
ftimeDeleted : 1601-01-01T00:00:00Z
SID : S-1-5-21-1490397982-2793378994-64436834-512
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 36964
usnLocalChange : 36964

In Microsoft Blog, ftimeDeleted and ftimeCreated are described.

ftimeDeleted the time the member has been removed (equal 0 if the object is currently still a member).
ftimeCreated the time when the member has been added for the first time.

 

Next, log on to PC1 with Alice account.

DC2: 2/11/2019 10:57:19 AM EID 4624 An account was successfully logged on.(Alice)

On the timeline, there is a record related to the "lastLogonTimestamp" of the Alice account.

f:id:hideakii:20190217094449p:plain

ftimeLastOriginatingChange : 2019-02-11T10:57:19Z
Name : alice
pszAttributeName : lastLogonTimestamp
ObjectClass : user
DN : CN=alice,CN=Users,DC=example,DC=local
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : alice
dwVersion : 1
WhenCreated : 2019-02-11 07:05:45Z
Member :
ftimeCreated :
ftimeDeleted :
SID : S-1-5-21-1490397982-2793378994-64436834-1104
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 37098
usnLocalChange : 37098

On DC1 and DC2, check the properties of the Alice account. (Get-ADUser -identity alice -property *)

Since lastLogon is not replicated, there are differences in values.

DC1

lastLogon : 131943562397419196
LastLogonDate : 2/11/2019 10:57:19 AM
lastLogonTimestamp : 131943562397419196

DC2

lastLogon : 131943562396367072
LastLogonDate : 2/11/2019 10:57:19 AM
lastLogonTimestamp : 131943562397419196

The values output to ADobjects.xml created by ADTimeline are as follows.

lastLogon : 131943562397419196
lastLogonTimestamp : 131943562397419196

 

Next, I will also check the Bob account.(Bob account does not have high privilege.)

The Bob account logs on to the domain. You can check Bob's logon with DC1

 and DC2 security log.

DC1

f:id:hideakii:20190217103220p:plain

DC2

f:id:hideakii:20190217101315p:plain

However, I could not find a record related to Bob account. I searched Bob in ADobjects.xml, but it did not exist.

(ADD: I was testing it without understanding that ADTimeline was targeting high privilege. Bob does not have high privilege, so it is not displayed on the timeline.)

f:id:hideakii:20190217101534p:plain

Just to be sure, I will check the properties of Bob with DC1 and DC2. 
lastLogonTimestamp indicates the time Bob logged on. (2/11/2019 10:59:19 AM)

DC1

LastLogonDate : 2/11/2019 10:59:19 AM
lastLogonTimestamp : 131943563590742494

DC2

lastLogon : 131943563590742494
LastLogonDate : 2/11/2019 10:59:19 AM
lastLogonTimestamp : 131943563590742494

It is interesting that Bob's logon does not appear on the timeline.

f:id:hideakii:20190217144557p:plain

The timeline and event log created this time can be downloaded from here.

<add>

I could display Bob in the timeline by defining the "Domain Users" group in "$groupscustom".

$groupscustom = "Domain Users"

f:id:hideakii:20190217180549p:plain

(I have not read all of README.md. I was taught it by DM. Thank you! ;-)

</add>

 

PS

LastLogonTimeStamp seems to have delays of up to 14 days, not updates in real time.

blogs.technet.microsoft.com

 

I will continue testing.

Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC

Reference URL:

blogs.technet.microsoft.com

blogs.technet.microsoft.com

 

f:id:hideakii:20190217085520j:plain