Interpreting File and Other Object Access Events

At this point in the compromise, our attacker has created a new user account and placed that user in the Domain Admins group. Now, at this point she is ready to attempt to find and gain access to the secret documents stored on our file server. The next place for us to see the trail that is left by this attempt is in the object access audit category of events.

The object access audit category (as discussed in Chapter 12) allows administrators to configure the Security event logs to record access (either successful or failed) to various objects on the system. An object is just about anything the operating system is aware of, but for auditing purposes, this category generally focuses on objects such ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.