Windows Event IDs For Incident Response Cases
In this post blog we will work on Windows Event IDs. When we analyze the logs for incident response or threat hunting, we need to understand, clarify, comment and map the cyber attacks. For this reason we need to examine and investigate logs at Splunk, ELK or any SIEM. During investigation the incident we should have knowledge about red team techniques, processes, threads, socket connections, Event ID’s and its occurance sequence and time for mapping attacks hence Event ID’s very important for us. So I give website link which contains event ids and their explanations below.
Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Lets try to change a users password and examine the eventlog;
Event ID 4720 shows us a new user creation. We inspect the suspicous user by examining ID 4720;
Event ID 4722 shows that enabling of a new account;
Event ID 4724 logs to user password reset activity. From this, we can see suspicous activity if admin didn’t change password;
From Event ID 4728 log we can see that user2 has assigned to Admins group.
Event ID 4624 logs to successful log on to our system: We inpect this for analysing the successfull logins on our system if we catch some suspicious about it such as different user login or a normal user with high privilige we investigate it for mapping attack.
Event 4634 lists the log off activity on a system;
Event ID 4625 declare the failed login attempts. We can see bruteforce or unauthenticated login attempts by using 4625 log events. In this step for inspecting suspicous login logoff activities we can examine the event logs by using specific IDs which is explained above like login logoff. We also need to know logon types is written in Event logs for this a table is given in the below;
For example output is given shows us workstatin unlocked;
We should be vigilant about ID 4672, if a normal user logon with high priviliges, this action must be commented as suspicious activity.
Event 4733 shows us that a member removed from a security group; I have deleted user2 from administrators group and I will perform pass the hash attack with this user against Windows 8 box;
Let’s send exploit and get a reverse shell with normal user for performing pass the hash attack.
After attack examine the event logs. Can you see that?
user2 logged on with null sid moreover Keylength is 0 and Logon type 3 that means user logged on computer from network.
From sysmon log we can observe the malicious powershell code for explotation process and network sockets and attacker IP can be seen too…
Next step we tried to migrate to lsass.exe processes for extracting hashdump, in sysmon you can see the Create Remote Thread for process injection;
Ok we go back to Event logs. Windows event logs can be discrated into 3 main titles as show you below; Application, Security and system logs. We keep on analysing security logs.
Attackers can also use Pass the Ticket attacks over kerberos. In pass the ticket attack, attacker steal or extract Golden or silver ticket and send it again target to compromise or privilige escalation. We need to check and analyze, 4768 — A Kerberos authentication ticket (TGT) was requested, 4769 — A Kerberos service ticket was requested, 4770 — A Kerberos service ticket was renewed events for solving the attack case.
Reference: https://blog.stealthbits.com/detect-pass-the-ticket-attacks
An other case is RDP connection to the system. First event ID 4732 occurs for adding user2 to the Remote Desktop group.
User2 connect to the our box and it’s anormal action because under normal security policy conditions user2 can’t have rights for connection. For check this issue you can filer 4778 and 4779 events. For WMI activities you can check sysmon;
Cerating logs for WMI activities we can use WMI monitor and push logs to ELK or Splunk.
https://github.com/realparisi/WMI_Monitor
This creates logs with Event ID 8 in application log. For more information you can read fireeye article it will be very useful;
In a conclusion Event ID’s very important information for analysing a cyber attack. I hope article is useful for you, see you next post.
