Windows Event Logging

Fundamentals for Incident Response

About Me
• Robert Knapp
– Incident Response Consultant
@ Rapid7
– 5 years of security monitoring
and IR experience
– Blue Team Evangelist
Why Me?
– I’ve put in the time so you don’t have to (put in as much)
– Basic logging best practices are being ignored
– Have heard every excuse as to why logging isn’t occurring
– New analysts need guidance
• What do I need to care about and why?
Detection Through Event Logging
• Ransomware
• Phishing
• Password Spraying
• Advanced Persistent Threats (APT)
• BONUS – Operational Wins!
 Windows Advanced Audit Policy
• Introduced in Server 2008 R2/Windows 7
– 9 categories containing 59 sub-categories of audit policies
– AuditPol /get /category:*
• Dumps current audit policy configuration to screen
– Operations and Security value in monitoring events
The Bare Minimum – Do This Today
• Configure Advanced Audit Policy via GPO
• Max out the local storage size of event logs (4GB)
 Windows Advanced Audit Policy
• Account Logon • Object Access
• Account Management • Policy Change
• Detailed Tracking • Privilege Use
• Directory Service Access • System
• Logon/Logoff
 Account Management
• Distribution Group Management
• Event ID: 4744 - A security-disabled local group was created.
• Event ID: 4745 - A security-disabled local group was changed.
• Event ID: 4746 - A member was added to security-disabled local group.
• Event ID: 4747 - A member was removed from a security-disabled local
group.
• Event ID: 4748 - A security-disabled local group was deleted.
 Account Management
• Distribution Group Management
• Event ID: 4749 - A security-disabled global group was created.
• Event ID: 4750 - A security-disabled global group was changed.
• Event ID: 4751 - A member was added to security-disabled global group.
• Event ID: 4752 - A member was removed from a security-disabled global
group.
• Event ID: 4753 - A security-disabled global group was deleted.
 Account Management
• Distribution Group Management
• Event ID: 4759 - A security-disabled universal group was created.
• Event ID: 4760 - A security-disabled universal group was changed.
• Event ID: 4761 - A member was added to security-disabled universal group.
• Event ID: 4762 - A member was removed from a security-disabled universal
group.
• Event ID: 4763 - A security-disabled universal group was deleted.
 Account Management
• Security Group Management
• Event ID: 4731 - A security-enabled local group was created.
• Event ID: 4735 - A security-enabled local group was changed.
• Event ID: 4732 - A member was added to security-enabled local group.
• Event ID: 4733 - A member was removed from a security-enabled local
group.
• Event ID: 4734 - A security-enabled local group was deleted.
 Account Management
• Security Group Management
• Event ID: 4754 - A security-enabled global group was created.
• Event ID: 4755 - A security-enabled global group was changed.
• Event ID: 4756 - A member was added to security-enabled global group.
• Event ID: 4757 - A member was removed from a security-enabled global
group.
• Event ID: 4758 - A security-enabled universal group was deleted.
 Account Management
• Security Group Management
• Event ID: 4754 - A security-enabled universal group was created.
• Event ID: 4755 - A security-enabled universal group was changed.
• Event ID: 4756 - A member was added to security-enabled universal group.
• Event ID: 4757 - A member was removed from a security-enabled universal
group.
• Event ID: 4758 - A security-enabled universal group was deleted.
Account Management
Account Management
• Group Management Use Cases
– Monitoring sensitive AD groups
• Are you monitoring more than just Domain Admins?
– Monitoring changes to distribution groups
• Who is receiving emails to finance@your_org.com
distro?
 Account Management
• User Account Management
• Event ID: 4720 - A user account was created.
• Event ID: 4722 - A user account was enabled.
• Event ID: 4723 – An attempt was made to change an account’s password.
• Event ID: 4725 – A user account was disabled.
• Event ID: 4726 – A user account was deleted.
• Event ID: 4740 – A user account was locked out.
Account Management
Account Management
• User Account Management Use Cases
– Identify attempts to change user account passwords
– Identify new accounts being created
• Covers both local and AD accounts
– Identify accounts being locked out
Detailed Tracking
• Audit Plug and Play (Windows 10/Server 2016)
– Event ID: 6146
• A new external device was recognized by the System
– Event ID: 6423
• The installation of this device is forbidden by system
policy.
Audit Plug and Play
Detailed Tracking
• Process Creation
– Event ID: 4688
• A new process has been created
– Can include the full process command line
– Event ID: 4689
• A new process has exited
Process Creation
Process Creation
• Use Cases
– Create timeline of attacker activity on host
• Could you timeline attacker activity on a host today?
– View full command line being passed to processes
• Cmd.exe was executed, but what commands was it passed?
– Identify executables running on the network
• Is MouseJiggler.exe approved?
– Identify the source of events
• Follow the process chain to identify the root cause of infections
DS Access
• Directory Service Changes
– Only generated on DC’s
• Event ID: 5136 – A directory service object was modified
• Event ID: 5137 – A directory service object was created
• Event ID: 5138 – A directory service object was undeleted
• Event ID: 5139 – A directory service object was moved
• Event ID: 5141 – A directory service object was deleted
Directory Service Changes
DS Access
• Directory Service Access
– Only generated on DC’s
• Event ID: 4662 – An operation was performed on
an object
• Interested in failures over successes
Directory Service Access
Directory Service Changes/Access
• Use Cases
– Identify changes being made to AD objects
• Who did what and when?
• Did they occur during change window? Follow approved process?
– Identified failed attempts to modifying AD objects
• Operational issue? Insider threat?
Logon/Logoff
• Event ID: 4624 – Account Logon Success
• Event ID: 4625 – Account Logon Failure
• Event ID: 4640 – Account Lockout
• Event ID: 4634 – Account Logoff
• Event ID: 4800 – Workstation was locked
• Event ID: 4801 – Workstation was unlocked
Logon/Logoff
Logon/Logoff Use Cases
• Identifying length of user sessions
• Identifying anomalous authentications
– Login from strange host, time of logins, etc.
• Password Spraying - Account logon failures
occurring once across multiple accounts
Object Access
• File Share
– Event ID: 5140 - A network share object was accessed
– Event ID: 5142 - A network share object was added
– Event ID: 5143 - A network share object was modified
– Event ID: 5144 - A network share object was deleted
File Share
 Object Access
• File Share Use Cases
– Identify all file shares a compromised user account accessed.
– Identify what user account deleted an existing file share.
Object Access
• Filtering Platform Connection
– Event ID: 5156 – Windows Filtering Platform has allowed a
connection
• High event volume
Filtering Platform Connection
Object Access
• Filtering Platform Connection Use Cases
– Identify what network address a malicious process
is reaching out to and vice versa
Object Access
• Registry
– Event ID: 4657 – A registry value was modified
• Auditing must be set on a individual, per-key basis
• Common attacker persistence keys
– USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
USERS\.DEFAULT\Software\Microsoft\Office\Outlook\Addins
USERS\.DEFAULT\Software\Microsoft\Office\PowerPoint\Addins
USERS\.DEFAULT\Software\Microsoft\Office\Word\Addins
USERS\.DEFAULT\Software\Microsoft\Internet Explorer\UrlSearchHooks
Registry
Object Access
• Other Object Access Events
– Scheduled Tasks
• Event ID: 4698 - A scheduled task was created
• Event ID: 4699 - A scheduled task was deleted
• Event ID: 4702 - A scheduled task was updated
Scheduled
Tasks
Object Access
• Scheduled Task Use Cases
– Detecting Scheduled Tasks used for persistence
– Detecting Scheduled Tasks used for privilege
escalation
– Identifying updated Scheduled Tasks executing
different payloads
System
• **Not to be confused with System logs**
– Security Systems Integrity
• Event ID: 4697 – A service was installed in the system
System
PowerShell Logging
• Standard PowerShell Logging
– Event ID: 400 – Engine state changed from None
to Available
• PowerShell v5 Script Block Logging
– Event ID: 4104 – Creating Script Block text
– Provides insight into encoded commands
PowerShell Logging Use Cases
• Identifying v2 being used on v5 systems to
bypass script block logging
• Script block logging deobfuscating PowerShell
PowerShell Logging
Anti-Forensics
• Event ID: 1102 – Audit log was cleared
• Event ID: 4719 – System audit policy was changed
• Event ID: 1100 – Event logging service has shutdown
• Event ID: 1104 – Security log is full
• Event ID: 4616 – System time was changed
Anti-Forensics
Where do we go from here?
• Log Aggregation
– SIEM Solutions
– Windows Event Forwarding
• Security Monitoring/Analysis
– Threat Hunting
Security Monitoring/Analysis
• Frequency analysis
– Understand what is normal for your environment
– Data stacking techniques
Sources
• Microsoft Windows 10 and Server 2016 Security Auditing and Monitoring Reference Guide
• NSA’s “Spotting the Adversary with Windows Event Log Monitoring”
• Michael Gough / MalwareArcheology.com - Windows Audit Policy/Logging Cheat Sheets
• Palantir WEF subscriptions - https://github.com/palantir/windows-event-forwarding
• ADSecurity.org - Domain controller audit policy, Active Directory security
• FireEye PowerShell Logging Guide - https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
Questions?