🤔 Analysis Tips and Cheatsheets
🤔 How Do I investigate logon events?
Windows
Event Logs
There is a fine line between logon and account logon events, and that line is not just one word. The main idea is that logon is the event on the system that wants to chat, whilst account logon is the event on the server/remote system that our computer wants to talk to: user authentication and logon from the Security trail. Event codes 4624.
Most events are logged on the target machine, but you can also see these events on the source machine. That happens when the user authenticates locally with the credentials from the SAM database (NTLM protocol); you will see EID 4776 (NTLM creds used for logon) for both successful and failed logons.
🤔 How Do I Spot Bruteforcing Activity?
Windows
Event logs
There will be no shortage of 4625 events (unsuccessful login) showing up in the logs. Since this attack is most likely happening over the network, the logon type will be 3 (often SMB or RDP). Now, if you give those events a once-over, you will be able to figure out whether we’re up against a rather pesky password spray attack or an attack on a single account.
🤔 How Do I Spot Injections?
Windows
Sysmon logs, 25.