Windows Security Log Analysis

BLUF
This logfile contains multiple different types of log events that tell us certain
things. For starters, there are many log events with the Event ID of 4624 and 4634,
and these are an was logged on and an account was logged off respectively. There
are other Event ID’s such as 4672, 4769, 4776. This information leads to me believe
this is a normal organization with many different users performing various tasks
Data Overview (Section 1, Part A)
The first event has an Event ID of 4634 for the user “grant.larson”. The last
event has an Event ID of 1102 for the administrator account. The time zone for the
events is UTC. All these time stamps have the letter “Z” at the end of them. Z
means Zulu or Zebra time and is the military code name for UTC. There are a total
of 78320 events in this log file.
Count of log on and log off events (Section 1, Bart B)
There was a total of 34415 logon events and a total of 3482 logoff events.
There were many different users such grant.larson, Adam.richardson,
Madison.Wescott, etc.
Section1, Part C
There are two total events with the Event ID 4625. Both these events are on
the same computer (DC01.AFC.com) and the same administrator account with
DC01$ as the username. To help solve this issue, I would identify the source of the
failed logon attempts and view their other activity to see if there are any malicious
actions over the network. However, it is possible that they just mistyped their
password when trying to login.
Section, Part D
To analyze this log file, I used Notepad++. To help count how many events
there were, as well as look for specific event types, I used the control f function in
windows and the grep function in Linux. And finally, I used various Linux commands
to create the application.
Program Code
Part A
Cat “SecurityLog-rev2.xml” > output.txt
Part B
grep -A 5 -B 1 "<EventID>4624</EventID>" SecurityLog-rev2.xml
Part C
grep -c "<EventID>4625</EventID> SecurityLog-rev2.xml
Part D
grep "EVENT_ID" logfile.txt |
awk '{
split($1, a, ":");
timestamp = a[1];
count[timestamp]++; }
}
END {
for (timestamp in count)
print timestamp, count[timestamp];
};
IOC’s
As mentioned earlier in the report, there were two unsuccessful log-on
attempts. Again, the user could have made a mistake when entering their password.
However, it is worth looking into if there is more malicious activity happening on the
network. Another potential IOC is when accounts gain special privileges. This is
identified by Event ID 4762. Usually if they granted special privileges, they are a
trusted account. However, some accounts could abuse these escalated privileges,
so it’s important to keep an eye on them.