Authentication Events
Description: Authentication mechanisms.
Location:
- C:\Windows\System32\winevt\logs\Security.evtx
Notes: Authentication mechanisms related to NTLM and Kerberos protocols:
Event ID Codes for NTLM:
- Event ID: 4776 - Successful/Failed account authentication.
Event ID Codes for Kerberos:
- Event ID: 4768 - Ticket Granting Ticket was granted. (Successful Logon)
- Event ID: 4769 - Service Ticket requested. (Access to Server Resource)
- Event ID: 4771 - Pre-authentication failed. (Failed Logon)
Analysis: NTLM and Kerberos are the primary authentication protocols utilized in a Windows
envirornment. NTLM is a challenge-response-based authentication protocol used by Windows computers that are
not members of an Active Directory domain. Kerberos is a ticket-based authentication protocol used by
Windows computers that are members of an Active Directory domain. For some more reading material that deep
dives on the subject, I'd recommend this blog post from Ultimate Windows
Security.
We can use Windows native Event Viewer application for analyzing .evtx files. On a Windows client,
double-clicking an .evtx file will automatically open the log inside of the Saved Logs
folder in Event Viewer.
To filter for a specific event, select Filter Current Log... to pull up a dialog box with
filtering option and input the Event ID you'd like to isolate.
I don't currently have any examples of Kerberos authentication that I can showcase for reference, but I'm
working on setting up a small Windows environment for an upcoming Windows Forensics workshop and should be
able to capture client/server communications from that enviornment once it's up and running.