Paths
Event logs and Event Trace Logs:
C:\Windows\system32\
config\*.evt
winevt\logs\*.evt
LogFiles\WMI\*
SleepStudy\*
C:\Windows\system32\WDI
LogFiles\*etl\*
{\*
Event Viewer π
βHow could an attacker delete entries from the Event Viewer and what level of access would they need?
To configure what’s being logged and what’s ignored, set up the appropriate policies here -secpol.msc
. Config example:
- Audit account logon events - success + failure
- Audit account management - success + failure
- Audit logon events - success + failure
- Audit object accesss - failure (too many successes will be generated)
- Audit privileged use - success + failure
- Audir system events - success + failure
This might chew up lots of disk space, so be careful. I might try this configs to look for network events, I could not see before.
π BTFM
Event Log Explorer
Has a free version for non-commercial use. Allow creating lots of filters and has a GUI.
Evtxecmd
Eric Zimmerman’s Evtxecmd tool. Console tool that can export the result in a csv file. This csv can then be loaded into TimeLine explorer for further analysis.
Chainsaw
Is a CUI tool that has some predefined rules to search for interesting events. Can digest a lot of event logs at a time and produce a single output. For a usage example refer to the Blog section (Cybercorp1, calendar π Jan 2022).
Kansa
.\Modules\Log\Get-LogWinEvent.ps1 security | Out-GridView
Sysmon
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Includes a session GUID in each event to allow correlation of events on same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Logs opens for raw read access of disks and volumes.
- Optionally logs network connections, including each connectionβs source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Log IDs 1-24 + 225.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
System Logs.
Security Logs.
Application Logs. Not generally useful for IR.
Codes
Processes
25
Sysmon. Process Injection attempt.
User Activity
4624
System.
Successful login. Type 2 (console). Keep in mind that DWM (Desktop Win Manager) and UMFD (Font Driver Host) also use this Type 2 event. Filter it out (DWM|UMFD + RegEx + Exclude in Event Log Explorer filter). These are for domain accounts.
4625
System.
Failed logon attempt.
4634
System. User logged off.
4648
System. Auth with explicit credentials.
4672
System. Priviledges account usage. Can be used to check account privileges.
4771
4772
4773
4774
4775
4776
Local account authentication, meaning not involving a DC. Authentication attempts other then those of local users are suspicious by default. You can filter by a portion of unique pc/domain identifier to exclude all built-in accounts.
4777
4778
Session reconnect event. RDP. Check for 4624 Type 10.
4800
4802
4803
4717
4718
4720
Account created
4722
4723
4803
4724
4725
4726
4740
Lateral Movement
4697
Security.
New service installed.
5140
Security.
Mount shares.
5141 - 5145
Security.
SMB shares
7045
System. Service installed. Logged by default. Services started with user credentials are suspicious.
Anti-Forensics
1102
Security. Logs what user cleared the logs.
104
System. Logs what logs were cleared π₯Ά. Logs their SID.
USB
System 6416
20001
20002
Excersice
I’ve set up my lab as vaguely described here. Then, I’ve logged into the user sherlock
account. Now, I want to see this even in the Event Viewer. Most probably, it’s the Security of System logs. I have wrong time settings on the both machines, but I don’t think it’s a problem for now. I’ve noticed some Logon of type 3 in the logs, but the user is not specified. I don’t quite remember, which id the network logon type has. I think it’s 4… .
No, logon type 3 is the network logon. Weird. It happens very often.
Since there is no SID shown, I suspect that might be a system acc.
Sorting took some time, and I have noticed that Logon events have these IDs: 4624, 4634, 4625, 4648. Now I am going to filter by these IDs and revert to sorting by date and time. Nothing was found. I’ve cleared IDs, leaving just the user name. The filter returned no results as well.
However, I’ve also noticed, that even though no username was specified (N/A
), the PC name was mentioned: SHERLOCKPC$. Using this to filter the logs, resulted in null results. Tried SHERLOCKPC as well - nothing.
Some packet was blocked.
Clear log. Then try logging in several times with the wrong password. Then log in with the correct one. Observe the logs. Well, seems like Logon
and Logoff
events are not initiated by the user. So, the login attempts are actually Kerberos Authentication Service
. Now it makes more sense. Let’s filter by this event (4768 - success and 4771 - failure). After successful authentication, we have Kerberos Service Ticket Operations (4769). And now I have it!
I’ve now triggered several authentication failures and one authentication success. And there it is. I have 2 events 4771 (failures) then one event 4768 (success) followed by three events 4769. Why three?
Every minute 4624 and 4634 events are created, meaning new session creating. It seems so that every time I do something in my user account, the events 4624 and 4634 emerge in the logs. Or just every minute.
Let’s go to the user PC (sherlock) and see his logs. It says that access was denied (either the query is too long or the daemon is not running). Of course, the first thing to do was to check whether the service is really running, but it was. So, the problem was something else. Query too long? Don’t think so, since I have not created any views so far. I tried to clear the logs, but failed. May be it’s because the DC is shutdown, or because the user doesn’t have the rights to do so. The only way to check that is to turn on the DC.
Can’t find the event id that is associated with this activity. Thought 5152 was, but then I saw it appeared on its own.
However System logs had one interesting entry. But failing again has not triggered it.
References
π https://cybersecuritynews.com/windows-event-log-analysis/