Security Event ID 538 will show who logged in with IPC$

The following event vector is from the following scenario, I using my own
user account (w/domain admin privledges) used computer managment MMC to
connect to another local computer on same domain. I then opened the Event
Viewer and copied the information you see (with some trunication) from the
target computer. The copied information is my tracks in the event viewer log
file.

Open File	Accessed By	Type	# Locks	Open Mode
\PIPE\srvsvc	SBLANKENSHIP	Windows	0	Write+Read
\PIPE\svcctl	SBLANKENSHIP	Windows	0	Write+Read
C:\WINDOWS\system32\msaudite.dll	SBLANKENSHIP	Windows	0	Read
C:\WINDOWS\system32\netevent.dll	SBLANKENSHIP	Windows	0	Read


To do:

Take Windows XP/2000 box with clean log files.
Attack the box and record your observations from the log files.

attacks:
	null-ipc$
	auth-ipc$
	net use c$
	computer management connection
	sc \\victim servicename start|install|stop
	anonymous share enumeration
	sid2user.exe and user2sid.exe

Once observations and analysis are complete, create methodology
for auditing these events and make it very simple.