Audit Access to C$

Hi Guys, a customer asked me for a visibility about who is accessing C$ on his environment, users were claiming about admins that are using domain admins privileges to access c$ on client computers. What this customer asked for is a daily report about who is accessing c$. Using Event forwarding and PowerShell we were able to have a daily email with the information we need. If you are interested follow the steps 😉.

  • Enable audit on client computers.
  • Configure Event forwarding to centralize logs on a server.
  • Script to treat events on the WEF server and send a daily csv file about who is accessing c$ on which computer.

I- Enable Audit on client computers

We will enable auditing on the client computers scope using a GPO. let’s do it.

Create and link a GPO on your target OU, LabComputers OU in my scenario.


Edit the GPO and configure the policy setting Computer Configuration –> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration –> Audit Policies –> Object Access –> Audit File Share.


We configured the setting to audit success access to shares, at this point we will have an event 5140 each time a user access to a share on client computers, in our situation we are tracking c$ access.



II- Configure Event forwarding to centralize logs on a server.

1. We need to add Network Service to Event log Readers built-in group on the client computers. Let’s do it using group policy.

Create and link a GPO on your target OU. LabComputers on my scenario


We edit the GPO, Computer Configuration –> Windows Settings –> Security Settings –> Restricted Groups. Add the group Event log Readers and put Network Service as member of this group.


2. Create a subscription on the Windows Event forwarding Server. (MEM01 in my scenario)

Open Event Viewer

Click on Subscription and then Click Yes.


Right click on Subscription and select Create Subscription…

Enter a friendly name.

Select Source computer initiated and click on Select Computer Groups.


Click on Add Domain Computers.


Type Domain Computers

Click OK Twice.

Click on Select Events…


Select XML tab


Select Edit Query Manually and click Yes.


Paste the below XML filter and click OK.

<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>
*[System[band(Keywords,9007199254740992) and (EventID=5140)]]
and
*[EventData[Data[@Name=”ShareName”] and     (Data=”\\*\C$”)]]
</Select>
</Query>
</QueryList>

 

Click Advanced…


Select Minimize Latency.

Click OK twice.

Subscription created.



3. Configure Event Forwarding Group Policy.

Create a GPO and configure the policy setting: Configure target Subscription Manager



Enable the policy and click on Show…



Enter the URI of the event forwarder server. In my scenario MEM01.


After application of GPO on client computers (Restart is needed), events related to c$ access will be forwarded to MEM01.



III- Script to treat events on the WEF server and send a daily email

On C:\ we create a script named script1.ps1, the content of script below.

######## Begin #########################################

$FileName = Get-Date

$FileName = $FileName.ToShortDateString().Replace(‘/’,’-‘)

$FileName = “ShareAcess-” + $FileName + “.csv”

$Date = (Get-Date).AddDays(-1)

$Events = Get-WinEvent -FilterHashtable @{ LogName=’ForwardedEvents’; StartTime=$Date; Id=’5140′ }

If ($Events -ne $null)

{

Add-Content -Value “ClientComputer,TimeCreated,TargetUserName,TargetDomainName,IpAddress,ShareName” -Path C:\$FileName

ForEach ($Event in $Events) {

$eventXML = [xml]$Event.ToXml()

$clientComputer = $Event.MachineName

$TimeCreated = $Event.TimeCreated

$SubjectUserName = $eventXML.Event.EventData.Data[1].’#text’

$SubjectDomainName = $eventXML.Event.EventData.Data[2].’#text’

$IpAddress = $eventXML.Event.EventData.Data[5].’#text’

$ShareName = $eventXML.Event.EventData.Data[7].’#text’

Add-Content -Value “$clientComputer,$TimeCreated,$SubjectUserName,$SubjectDomainName,$IpAddress,$ShareName” -Path C:\$FileName

}

Send-MailMessage -Attachments C:\$FileName -From “Audit@lab.dz” -To “ITSecurity@lab.dz” -Body “Attention! Please find attached a CSV file with Share Users Access” -Subject “Share Audit Access” -SmtpServer exch.lab.dz -Port 25

}

########## END #######################################


Then we create a scheduled task to run the previous script daily

Scheduled task triggered every day at 9:00 AM as an example.


The action on the scheduled task to run the PowerShell script

if a user accessed c$ on a computer (in the scope) on the last 24 h, the ITsecurity team will receive an email with a csv attached. csv template below


By reading the first line of the csv file, the user tahri accessed c$ on MEM03 from a computer with IP address 10.0.0.10 😉

Thanks for reading 😊.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.