Windows Event Logs

Well at least windows has some good logging

I'm planning to create a list of artifacts and their use case (real world) for a better explanation of why should you pay attention and leverage some important logs to further your investigation and triage quality.

Refs

https://osdfir.blogspot.com/2021/10/common-misconceptions-about-windows.html?m=1
https://www.beyondtrust.com/blog/entry/windows-server-events-monitor
https://www.forwarddefense.com/media/attachments/2021/05/15/windows-event-log-analyst-reference.pdf (Windows Event Log Analysis)
https://www.13cubed.com/downloads/windows_event_log_cheat_sheet.pdf (good cheat sheet)
https://github.com/stuhli/awesome-event-ids (I like to read this when I do some threat hunting)
https://github.com/nsacyber/Event-Forwarding-Guidance/blob/master/Events/README.md (Event to monitor and send to your SIEM)

Location

You will go to this location and you are going to compress the hold file and then take it to your machine for DFIR, so here is the location of it: (will be better if you have a Powershell script ready for this huh)

%systemroot%\System32\winevt\logs. (For Windows server 2008 and vista above)
%systemroot%\System32\config (On old system)

Your worst nightmare is that someone clears all this log.

1. DFIR on Windows Event Log

The log itself is a huge topic but when I got my hand on this bad boy, I tended to use my favorite tool: Chainsaw (https://github.com/WithSecureLabs/chainsaw) to do the work, this tool will use the sigma rule and then scan the windows event file (that you exported from the system)

-> It will help you detect some shit faster but you should custom the rule for better results

I tend to export all the logs from the Windows Event Log but the most success I found in those logs are Windows PowerShell Operational (If you turn on the PowerShell Logging and all of its best practices)

Using this tool to parse the Windows Event Log https://github.com/omerbenamram/evtx (for the longest time I have found this tool to parse the evtx, now I can do forensics on my beloved Mac)

2. Important Event ID

Here are christophetd threat hunting mindmap for the windows event log, very good mindmap (maybe I'll try to refactor my post just like this)

2.1 Process Creation

If you ask a detection engineer which is the best data source he'll point you at this -> Process Creation aka Event ID 4688 aka Sysmon Event ID 1. You wouldn't believe me take a look at the picture below, 50% of Sigma rule is all about process creation. And here is the selling point, it is not enabled by default. Here is how you can enable Windows Process Creation:

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688 (more about 4688)
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing (here are how you can configure it and also the command line process auditing)

So at the most basic, you should know about this event log. But to further maximize

What other data source to correlate to this data source

2.2 Powershell

You need to enable script block logging on your local policy. there are a lot of use cases for this type of Event ID -> but most of the time you should monitor PowerShell usage that downloads files uses encoded commands, and calls out to external IP addresses,... But remember this:

A lot of legitimate software also uses Powershell script for all sorts of stuff just beware of this kind of behavior.

Hackers love Powershell, if you read the DFIR report you hardly see any attack that does NOT involve some kind of Powershell usage

If you have script block logging then the event ids are:

Execute a Remote Command or Powershell | 4104
Shows pipeline execution from the module logging facility | 4103
- Includes the user context used to run the commands.
- The Hostname field will show “Console” if executed locally or will show if run from a remote system.
- Can correlate account logon and logon events to determine further information about the source of a remote connection.

What other data source to correlate to this data source

To make sense or to create a ticket that has rich information you should know how this event id related to other event in the system or on the network.

Sysmon Event ID 3: (Network Connection) you can link the process which attempts to make a connection using ProcessID in Sysmon Event ID 3.
Firewall log: searching for a new SYN packet (within the time range) was sent if Symon isn't available.

2.3 Authentication

After a while the stuff I write below are worthless -> I should write how this event of authentication chain together and create stuff or action rather than atomic event id like these.

---

Account Lockouts | 4740
Successful User Account Login | 4624 (Many types of login successful) Type 10 is for Remote Desktop
- Type 2 - Interactive (console login)
- Type 3 - Network
- Type 4 - Batch (scheduled tasks)
- Type 5 - Services
- Type 7 - Unlock
- Type 8 - Network (cleartext)
- Type 9 - NewCredentials (RunAs)
- Type 10 - RemoteInteractive (RDP connections) -> Should monitor if it comes from an external IP address
- Type 11 - CachedInteractive (not connected to domain)
Failed User Account Login | 4625
Account Login with Explicit Credentials | 4648
User added to Privileged Group | 4728, 4732, 4756
Security-Enabled group modification | 4735
Password Update | 4742

-> Monitor who logs in to the system at an anomaly time frame with Remote Desktop

More stuff about this Account Event ID:

Understand Logon Session in Windows

2.4 Scheduled Tasks

Most of the time the attacker will try to persist somehow (you should look up in Mitre ATTACK and you)

A new service was installed in the system | 4697
Generates when a scheduled task was updated | 4702
The user registered the Task Scheduler task | 106

PreviousActive Directory NextAuthentication (Windows Account Life Cycle Events)

Last updated 2 years ago

Was this helpful?