Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
Windows Logs

Event Log


Event Log Explorer , Evtxecmd

Created: 12.10.2020

Paths

Event logs and Event Trace Logs: C:\Windows\system32\

  • config\*.evt
  • winevt\logs\*.evt
  • LogFiles\WMI\*
  • SleepStudy\*

C:\Windows\system32\WDI

  • LogFiles\*etl\*
  • {\*

Event Viewer 🌈

❓How could an attacker delete entries from the Event Viewer and what level of access would they need?

To configure what’s being logged and what’s ignored, set up the appropriate policies here -secpol.msc. Config example:

  1. Audit account logon events - success + failure
  2. Audit account management - success + failure
  3. Audit logon events - success + failure
  4. Audit object accesss - failure (too many successes will be generated)
  5. Audit privileged use - success + failure
  6. Audir system events - success + failure

This might chew up lots of disk space, so be careful. I might try this configs to look for network events, I could not see before.

πŸ“˜ BTFM

Event Log Explorer

Has a free version for non-commercial use. Allow creating lots of filters and has a GUI.

Evtxecmd

Eric Zimmerman’s Evtxecmd tool. Console tool that can export the result in a csv file. This csv can then be loaded into TimeLine explorer for further analysis.

Chainsaw

Is a CUI tool that has some predefined rules to search for interesting events. Can digest a lot of event logs at a time and produce a single output. For a usage example refer to the Blog section (Cybercorp1, calendar πŸ“… Jan 2022).

Kansa

.\Modules\Log\Get-LogWinEvent.ps1 security | Out-GridView

Sysmon

Sysmon includes the following capabilities:

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Multiple hashes can be used at the same time.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Includes a session GUID in each event to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes.
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Automatically reload configuration if changed in the registry.
  • Rule filtering to include or exclude certain events dynamically.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

Log IDs 1-24 + 225.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

System Logs.

Security Logs.

Application Logs. Not generally useful for IR.

Codes

Processes

25

Sysmon. Process Injection attempt.

User Activity

4624

System.

Successful login. Type 2 (console). Keep in mind that DWM (Desktop Win Manager) and UMFD (Font Driver Host) also use this Type 2 event. Filter it out (DWM|UMFD + RegEx + Exclude in Event Log Explorer filter). These are for domain accounts.

4625

System.

Failed logon attempt.

4634

System. User logged off.

4648

System. Auth with explicit credentials.

4672

System. Priviledges account usage. Can be used to check account privileges.

4771

4772

4773

4774

4775

4776

Local account authentication, meaning not involving a DC. Authentication attempts other then those of local users are suspicious by default. You can filter by a portion of unique pc/domain identifier to exclude all built-in accounts.

4777

4778

Session reconnect event. RDP. Check for 4624 Type 10.

4800

4802

4803

4717

4718

4720

Account created

4722

4723

4803

4724

4725

4726

4740

Lateral Movement

4697

Security.

New service installed.

5140

Security.

Mount shares.

5141 - 5145

Security.

SMB shares

7045

System. Service installed. Logged by default. Services started with user credentials are suspicious.

Anti-Forensics

1102

Security. Logs what user cleared the logs.

104

System. Logs what logs were cleared πŸ₯Ά. Logs their SID.

USB

System 6416

20001

20002

Excersice

I’ve set up my lab as vaguely described here. Then, I’ve logged into the user sherlock account. Now, I want to see this even in the Event Viewer. Most probably, it’s the Security of System logs. I have wrong time settings on the both machines, but I don’t think it’s a problem for now. I’ve noticed some Logon of type 3 in the logs, but the user is not specified. I don’t quite remember, which id the network logon type has. I think it’s 4… .

No, logon type 3 is the network logon. Weird. It happens very often.

Since there is no SID shown, I suspect that might be a system acc.

Sorting took some time, and I have noticed that Logon events have these IDs: 4624, 4634, 4625, 4648. Now I am going to filter by these IDs and revert to sorting by date and time. Nothing was found. I’ve cleared IDs, leaving just the user name. The filter returned no results as well.

However, I’ve also noticed, that even though no username was specified (N/A), the PC name was mentioned: SHERLOCKPC$. Using this to filter the logs, resulted in null results. Tried SHERLOCKPC as well - nothing.

Some packet was blocked.

Clear log. Then try logging in several times with the wrong password. Then log in with the correct one. Observe the logs. Well, seems like Logon and Logoff events are not initiated by the user. So, the login attempts are actually Kerberos Authentication Service. Now it makes more sense. Let’s filter by this event (4768 - success and 4771 - failure). After successful authentication, we have Kerberos Service Ticket Operations (4769). And now I have it!

I’ve now triggered several authentication failures and one authentication success. And there it is. I have 2 events 4771 (failures) then one event 4768 (success) followed by three events 4769. Why three?

Every minute 4624 and 4634 events are created, meaning new session creating. It seems so that every time I do something in my user account, the events 4624 and 4634 emerge in the logs. Or just every minute.

Let’s go to the user PC (sherlock) and see his logs. It says that access was denied (either the query is too long or the daemon is not running). Of course, the first thing to do was to check whether the service is really running, but it was. So, the problem was something else. Query too long? Don’t think so, since I have not created any views so far. I tried to clear the logs, but failed. May be it’s because the DC is shutdown, or because the user doesn’t have the rights to do so. The only way to check that is to turn on the DC.

Can’t find the event id that is associated with this activity. Thought 5152 was, but then I saw it appeared on its own.

However System logs had one interesting entry. But failing again has not triggered it.

References

πŸ“š https://cybersecuritynews.com/windows-event-log-analysis/