In Microsoft Windows, the Security Log is a log that records login/logout activity as well as other security-related events as defined by the system’s audit policy. Administrators can set up Windows to record operating system activity in the Security Log by using auditing.
Following are the security event ids with the activities.
Event ID
Event Log
1100
The event logging service has shut down
1101
Audit events have been dropped by the transport.
1102
The audit log was cleared
1104
The security Log is now full
1105
Event log automatic backup
1108
The event logging service encountered an error
4608
Windows is starting up
4609
Windows is shutting down
4610
An authentication package has been loaded by the Local Security Authority
4611
A trusted logon process has been registered with the Local Security Authority
4612
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4614
A notification package has been loaded by the Security Account Manager.
4615
Invalid use of LPC port
4616
The system time was changed.
4618
A monitored security event pattern has occurred
4621
Administrator recovered system from CrashOnAuditFail
4622
A security package has been loaded by the Local Security Authority.
4624
An account was successfully logged on
4625
An account failed to log on
4626
User/Device claims information
4627
Group membership information.
4634
An account was logged off
4646
IKE DoS-prevention mode started
4647
User initiated logoff
4648
A logon was attempted using explicit credentials
4649
A replay attack was detected
4650
An IPsec Main Mode security association was established
4651
An IPsec Main Mode security association was established
4652
An IPsec Main Mode negotiation failed
4653
An IPsec Main Mode negotiation failed
4654
An IPsec Quick Mode negotiation failed
4655
An IPsec Main Mode security association ended
4656
A handle to an object was requested
4657
A registry value was modified
4658
The handle to an object was closed
4659
A handle to an object was requested with intent to delete
4660
An object was deleted
4661
A handle to an object was requested
4662
An operation was performed on an object
4663
An attempt was made to access an object
4664
An attempt was made to create a hard link
4665
An attempt was made to create an application client context.
4666
An application attempted an operation
4667
An application client context was deleted
4668
An application was initialized
4670
Permissions on an object were changed
4671
An application attempted to access a blocked ordinal through the TBS
4672
Special privileges assigned to new logon
4673
A privileged service was called
4674
An operation was attempted on a privileged object
4675
SIDs were filtered
4688
A new process has been created
4689
A process has exited
4690
An attempt was made to duplicate a handle to an object
4691
Indirect access to an object was requested
4692
Backup of data protection master key was attempted
4693
Recovery of data protection master key was attempted
4694
Protection of auditable protected data was attempted
4695
Unprotection of auditable protected data was attempted
4696
A primary token was assigned to process
4697
A service was installed in the system
4698
A scheduled task was created
4699
A scheduled task was deleted
4700
A scheduled task was enabled
4701
A scheduled task was disabled
4702
A scheduled task was updated
4703
A token right was adjusted
4704
A user right was assigned
4705
A user right was removed
4706
A new trust was created to a domain
4707
A trust to a domain was removed
4709
IPsec Services was started
4710
IPsec Services was disabled
4711
PAStore Engine (1%)
4712
IPsec Services encountered a potentially serious failure
4713
Kerberos policy was changed
4714
Encrypted data recovery policy was changed
4715
The audit policy (SACL) on an object was changed
4716
Trusted domain information was modified
4717
System security access was granted to an account
4718
System security access was removed from an account
4719
System audit policy was changed
4720
A user account was created
4722
A user account was enabled
4723
An attempt was made to change an account’s password
4724
An attempt was made to reset an accounts password
4725
A user account was disabled
4726
A user account was deleted
4727
A security-enabled global group was created
4728
A member was added to a security-enabled global group
4729
A member was removed from a security-enabled global group
4730
A security-enabled global group was deleted
4731
A security-enabled local group was created
4732
A member was added to a security-enabled local group
4733
A member was removed from a security-enabled local group
4734
A security-enabled local group was deleted
4735
A security-enabled local group was changed
4737
A security-enabled global group was changed
4738
A user account was changed
4739
Domain Policy was changed
4740
A user account was locked out
4741
A computer account was created
4742
A computer account was changed
4743
A computer account was deleted
4744
A security-disabled local group was created
4745
A security-disabled local group was changed
4746
A member was added to a security-disabled local group
4747
A member was removed from a security-disabled local group
4748
A security-disabled local group was deleted
4749
A security-disabled global group was created
4750
A security-disabled global group was changed
4751
A member was added to a security-disabled global group
4752
A member was removed from a security-disabled global group
4753
A security-disabled global group was deleted
4754
A security-enabled universal group was created
4755
A security-enabled universal group was changed
4756
A member was added to a security-enabled universal group
4757
A member was removed from a security-enabled universal group
4758
A security-enabled universal group was deleted
4759
A security-disabled universal group was created
4760
A security-disabled universal group was changed
4761
A member was added to a security-disabled universal group
4762
A member was removed from a security-disabled universal group
4763
A security-disabled universal group was deleted
4764
A groups type was changed
4765
SID History was added to an account
4766
An attempt to add SID History to an account failed
4767
A user account was unlocked
4768
A Kerberos authentication ticket (TGT) was requested
4769
A Kerberos service ticket was requested
4770
A Kerberos service ticket was renewed
4771
Kerberos pre-authentication failed
4772
A Kerberos authentication ticket request failed
4773
A Kerberos service ticket request failed
4774
An account was mapped for logon
4775
An account could not be mapped for logon
4776
The domain controller attempted to validate the credentials for an account
4777
The domain controller failed to validate the credentials for an account
4778
A session was reconnected to a Window Station
4779
A session was disconnected from a Window Station
4780
The ACL was set on accounts which are members of administrators groups
4781
The name of an account was changed
4782
The password hash an account was accessed
4783
A basic application group was created
4784
A basic application group was changed
4785
A member was added to a basic application group
4786
A member was removed from a basic application group
4787
A non-member was added to a basic application group
4788
A non-member was removed from a basic application group..
4789
A basic application group was deleted
4790
An LDAP query group was created
4791
A basic application group was changed
4792
An LDAP query group was deleted
4793
The Password Policy Checking API was called
4794
An attempt was made to set the Directory Services Restore Mode administrator password
4797
An attempt was made to query the existence of a blank password for an account
4798
A user’s local group membership was enumerated.
4799
A security-enabled local group membership was enumerated
4800
The workstation was locked
4801
The workstation was unlocked
4802
The screen saver was invoked
4803
The screen saver was dismissed
4816
RPC detected an integrity violation while decrypting an incoming message
4817
Auditing settings on object were changed.
4818
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
4819
Central Access Policies on the machine have been changed
4820
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions
4821
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
4822
NTLM authentication failed because the account was a member of the Protected User group
4823
NTLM authentication failed because access control restrictions are required
4824
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
4825
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
4826
Boot Configuration Data loaded
4830
SID History was removed from an account
4864
A namespace collision was detected
4865
A trusted forest information entry was added
4866
A trusted forest information entry was removed
4867
A trusted forest information entry was modified
4868
The certificate manager denied a pending certificate request
4869
Certificate Services received a resubmitted certificate request
4870
Certificate Services revoked a certificate
4871
Certificate Services received a request to publish the certificate revocation list (CRL)
4872
Certificate Services published the certificate revocation list (CRL)
4873
A certificate request extension changed
4874
One or more certificate request attributes changed.
4875
Certificate Services received a request to shut down
4876
Certificate Services backup started
4877
Certificate Services backup completed
4878
Certificate Services restore started
4879
Certificate Services restore completed
4880
Certificate Services started
4881
Certificate Services stopped
4882
The security permissions for Certificate Services changed
4883
Certificate Services retrieved an archived key
4884
Certificate Services imported a certificate into its database
4885
The audit filter for Certificate Services changed
4886
Certificate Services received a certificate request
4887
Certificate Services approved a certificate request and issued a certificate
4888
Certificate Services denied a certificate request
4889
Certificate Services set the status of a certificate request to pending
4890
The certificate manager settings for Certificate Services changed.
4891
A configuration entry changed in Certificate Services
4892
A property of Certificate Services changed
4893
Certificate Services archived a key
4894
Certificate Services imported and archived a key
4895
Certificate Services published the CA certificate to Active Directory Domain Services
4896
One or more rows have been deleted from the certificate database
4897
Role separation enabled
4898
Certificate Services loaded a template
4899
A Certificate Services template was updated
4900
Certificate Services template security was updated
4902
The Per-user audit policy table was created
4904
An attempt was made to register a security event source
4905
An attempt was made to unregister a security event source
4906
The CrashOnAuditFail value has changed
4907
Auditing settings on object were changed
4908
Special Groups Logon table modified
4909
The local policy settings for the TBS were changed
4910
The group policy settings for the TBS were changed
4911
Resource attributes of the object were changed
4912
Per User Audit Policy was changed
4913
Central Access Policy on the object was changed
4928
An Active Directory replica source naming context was established
4929
An Active Directory replica source naming context was removed
4930
An Active Directory replica source naming context was modified
4931
An Active Directory replica destination naming context was modified
4932
Synchronization of a replica of an Active Directory naming context has begun
4933
Synchronization of a replica of an Active Directory naming context has ended
4934
Attributes of an Active Directory object were replicated
4935
Replication failure begins
4936
Replication failure ends
4937
A lingering object was removed from a replica
4944
The following policy was active when the Windows Firewall started
4945
A rule was listed when the Windows Firewall started
4946
A change has been made to Windows Firewall exception list. A rule was added
4947
A change has been made to Windows Firewall exception list. A rule was modified
4948
A change has been made to Windows Firewall exception list. A rule was deleted
4949
Windows Firewall settings were restored to the default values
4950
A Windows Firewall setting has changed
4951
A rule has been ignored because its major version number was not recognized by Windows Firewall
4952
Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall
4953
A rule has been ignored by Windows Firewall because it could not parse the rule
4954
Windows Firewall Group Policy settings has changed. The new settings have been applied
4956
Windows Firewall has changed the active profile
4957
Windows Firewall did not apply the following rule
4958
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
4960
IPsec dropped an inbound packet that failed an integrity check
4961
IPsec dropped an inbound packet that failed a replay check
4962
IPsec dropped an inbound packet that failed a replay check
4963
IPsec dropped an inbound clear text packet that should have been secured
4964
Special groups have been assigned to a new logon
4965
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).
4976
During Main Mode negotiation, IPsec received an invalid negotiation packet.
4977
During Quick Mode negotiation, IPsec received an invalid negotiation packet.
4978
During Extended Mode negotiation, IPsec received an invalid negotiation packet.
4979
IPsec Main Mode and Extended Mode security associations were established.
4980
IPsec Main Mode and Extended Mode security associations were established
4981
IPsec Main Mode and Extended Mode security associations were established
4982
IPsec Main Mode and Extended Mode security associations were established
4983
An IPsec Extended Mode negotiation failed
4984
An IPsec Extended Mode negotiation failed
4985
The state of a transaction has changed
5024
The Windows Firewall Service has started successfully
5025
The Windows Firewall Service has been stopped
5027
The Windows Firewall Service was unable to retrieve the security policy from the local storage
5028
The Windows Firewall Service was unable to parse the new security policy.
5029
The Windows Firewall Service failed to initialize the driver
5030
The Windows Firewall Service failed to start
5031
The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5032
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
5033
The Windows Firewall Driver has started successfully
5034
The Windows Firewall Driver has been stopped
5035
The Windows Firewall Driver failed to start
5037
The Windows Firewall Driver detected critical runtime error. Terminating
5038
Code integrity determined that the image hash of a file is not valid
5039
A registry key was virtualized.
5040
A change has been made to IPsec settings. An Authentication Set was added.
5041
A change has been made to IPsec settings. An Authentication Set was modified
5042
A change has been made to IPsec settings. An Authentication Set was deleted
5043
A change has been made to IPsec settings. A Connection Security Rule was added
5044
A change has been made to IPsec settings. A Connection Security Rule was modified
5045
A change has been made to IPsec settings. A Connection Security Rule was deleted
5046
A change has been made to IPsec settings. A Crypto Set was added
5047
A change has been made to IPsec settings. A Crypto Set was modified
5048
A change has been made to IPsec settings. A Crypto Set was deleted
5049
An IPsec Security Association was deleted
5050
An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE
5051
A file was virtualized
5056
A cryptographic self test was performed
5057
A cryptographic primitive operation failed
5058
Key file operation
5059
Key migration operation
5060
Verification operation failed
5061
Cryptographic operation
5062
A kernel-mode cryptographic self test was performed
5063
A cryptographic provider operation was attempted
5064
A cryptographic context operation was attempted
5065
A cryptographic context modification was attempted
5066
A cryptographic function operation was attempted
5067
A cryptographic function modification was attempted
5068
A cryptographic function provider operation was attempted
5069
A cryptographic function property operation was attempted
5070
A cryptographic function property operation was attempted
5071
Key access denied by Microsoft key distribution service
5120
OCSP Responder Service Started
5121
OCSP Responder Service Stopped
5122
A Configuration entry changed in the OCSP Responder Service
5123
A configuration entry changed in the OCSP Responder Service
5124
A security setting was updated on OCSP Responder Service
5125
A request was submitted to OCSP Responder Service
5126
Signing Certificate was automatically updated by the OCSP Responder Service
5127
The OCSP Revocation Provider successfully updated the revocation information
5136
A directory service object was modified
5137
A directory service object was created
5138
A directory service object was undeleted
5139
A directory service object was moved
5140
A network share object was accessed
5141
A directory service object was deleted
5142
A network share object was added.
5143
A network share object was modified
5144
A network share object was deleted.
5145
A network share object was checked to see whether client can be granted desired access
5146
The Windows Filtering Platform has blocked a packet
5147
A more restrictive Windows Filtering Platform filter has blocked a packet
5148
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
5149
The DoS attack has subsided and normal processing is being resumed.
5150
The Windows Filtering Platform has blocked a packet.
5151
A more restrictive Windows Filtering Platform filter has blocked a packet.
5152
The Windows Filtering Platform blocked a packet
5153
A more restrictive Windows Filtering Platform filter has blocked a packet
5154
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
5155
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
5156
The Windows Filtering Platform has allowed a connection
5157
The Windows Filtering Platform has blocked a connection
5158
The Windows Filtering Platform has permitted a bind to a local port
5159
The Windows Filtering Platform has blocked a bind to a local port
5168
Spn check for SMB/SMB2 fails.
5169
A directory service object was modified
5170
A directory service object was modified during a background cleanup task
5376
Credential Manager credentials were backed up
5377
Credential Manager credentials were restored from a backup
5378
The requested credentials delegation was disallowed by policy
5379
Credential Manager credentials were read
5380
Vault Find Credential
5381
Vault credentials were read
5382
Vault credentials were read
5440
The following callout was present when the Windows Filtering Platform Base Filtering Engine started
5441
The following filter was present when the Windows Filtering Platform Base Filtering Engine started
5442
The following provider was present when the Windows Filtering Platform Base Filtering Engine started
5443
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started
5444
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started
5446
A Windows Filtering Platform callout has been changed
5447
A Windows Filtering Platform filter has been changed
5448
A Windows Filtering Platform provider has been changed
5449
A Windows Filtering Platform provider context has been changed
5450
A Windows Filtering Platform sub-layer has been changed
5451
An IPsec Quick Mode security association was established
5452
An IPsec Quick Mode security association ended
5453
An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started
5456
PAStore Engine applied Active Directory storage IPsec policy on the computer
5457
PAStore Engine failed to apply Active Directory storage IPsec policy on the computer
5458
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
5459
PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer
5460
PAStore Engine applied local registry storage IPsec policy on the computer
5461
PAStore Engine failed to apply local registry storage IPsec policy on the computer
5462
PAStore Engine failed to apply some rules of the active IPsec policy on the computer
5463
PAStore Engine polled for changes to the active IPsec policy and detected no changes
5464
PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
5465
PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
5466
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead
5467
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy
5468
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes
5471
PAStore Engine loaded local storage IPsec policy on the computer
5472
PAStore Engine failed to load local storage IPsec policy on the computer
5473
PAStore Engine loaded directory storage IPsec policy on the computer
5474
PAStore Engine failed to load directory storage IPsec policy on the computer
5477
PAStore Engine failed to add quick mode filter
5478
IPsec Services has started successfully
5479
IPsec Services has been shut down successfully
5480
IPsec Services failed to get the complete list of network interfaces on the computer
5483
IPsec Services failed to initialize RPC server. IPsec Services could not be started
5484
IPsec Services has experienced a critical failure and has been shut down
5485
IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
5632
A request was made to authenticate to a wireless network
5633
A request was made to authenticate to a wired network
5712
A Remote Procedure Call (RPC) was attempted
5888
An object in the COM+ Catalog was modified
5889
An object was deleted from the COM+ Catalog
5890
An object was added to the COM+ Catalog
6144
Security policy in the group policy objects has been applied successfully
6145
One or more errors occured while processing security policy in the group policy objects
6272
Network Policy Server granted access to a user
6273
Network Policy Server denied access to a user
6274
Network Policy Server discarded the request for a user
6275
Network Policy Server discarded the accounting request for a user
6276
Network Policy Server quarantined a user
6277
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
6278
Network Policy Server granted full access to a user because the host met the defined health policy
6279
Network Policy Server locked the user account due to repeated failed authentication attempts
6280
Network Policy Server unlocked the user account
6281
Code Integrity determined that the page hashes of an image file are not valid…
6400
BranchCache: Received an incorrectly formatted response while discovering availability of content.
6401
BranchCache: Received invalid data from a peer. Data discarded.
6402
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
6403
BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.
6404
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
6405
BranchCache: %2 instance(s) of event id %1 occurred.
6406
%1 registered to Windows Firewall to control filtering for the following:
6407
1%
6408
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
6409
BranchCache: A service connection point object could not be parsed
6410
Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues
6416
A new external device was recognized by the system.
6417
The FIPS mode crypto selftests succeeded
6418
The FIPS mode crypto selftests failed
6419
A request was made to disable a device
6420
A device was disabled
6421
A request was made to enable a device
6422
A device was enabled
6423
The installation of this device is forbidden by system policy
6424
The installation of this device was allowed, after having previously been forbidden by policy
8191
Highest System-Defined Audit Message Value
We can see all the events in Windows Event Viewer. To open Event Viewer simply go to start and search for Event Viewer. There will be four events in an Event Viewer.
In this article, we have covered Security Event which is most important for Audit. Security Event logs will be generated if some process is violated or something is changed which is not recommended in the system and cause some breach of policy in the windows system. These checks are regularly updated in your security event logs.
A security event is a change in how a network or information technology service is used on a regular basis that may indicate that a security policy has been broken or a security measure has failed.
Сегодня тема мониторинга IT – инфраструктуры и анализа логов набирает все большую и большую популярность. В первую очередь все задумываются о мониторинге событий безопасности, о чем и будет идти речь в данной статье. Несмотря на то, что на эту тему сказано и написано уже довольно много, вопросов возникает еще больше. И поэтому мы решили сделать перевод статьи «Сritical Log Review Checklist for Security Incidents», написанную Anton Chuvakin и Lenny Zeltser, которая будет полезна как для тех, кто только начинает работать с мониторингом событий безопасности, так и для тех, кто имеет с этим дело довольно давно, чтобы еще раз проверить себя, не упускаете ли вы некоторые возможности.
В этом чек-листе представлены действия, которые необходимы, если вы хотите мониторить логи систем безопасности и оперативно реагировать на инциденты безопасности, а также перечень возможных источников и событий, которые могут представлять интерес для анализа.
Общая схема действия
- Определите, какие источники журналов и автоматизированные инструменты можно использовать для анализа
- Скопируйте записи журнала в одно место, где вы сможете все их просмотреть и обработать
- Создайте правила определения того, что события являются необходимыми вам, чтобы в автоматическом режиме уменьшать «зашумленность» логов
- Определите, можно ли полагаться на метки времени журналов; рассмотрите различия часовых поясов
- Обратите внимание на последние изменения, сбои, ошибки, изменения состояния, доступ и другие события, необычные для вашей IT-среды
- Изучите историю событий, чтобы восстановить действия до и после инцидента
- Сопоставьте действия в разных журналах, чтобы получить полную картину
- Сформируйте гипотезу о том, что произошло; изучите журналы, чтобы подтвердить или опровергнуть её
Потенциальные источники логов безопасности
- Журналы операционной системы серверов и рабочих станций
- Журналы приложений (например, веб-сервер, сервер баз данных)
- Журналы инструментов безопасности (например, антивирус, инструменты обнаружения изменений, системы обнаружения/предотвращения вторжений)
- Исходящие журналы прокси-сервера и журналы приложений конечных пользователей
- Не забудьте также рассмотреть другие источники событий безопасности, не входящие в журналы.
Стандартное расположение логов
- Операционная система Linux и основные приложения: /var/log
- Операционная система Windows и основные приложения: Windows Event Log (Security, System, Application)
- Сетевые устройства: обычно регистрируются через syslog; некоторые используют собственное расположение и форматы
Что искать в логах Linux
| Событие | Пример записи в логах |
|---|---|
| Успешный вход | «Accepted password», «Accepted publickey», «session opened» |
| Неудачные попытки входа | «authentication failure», «failed password» |
| Завершение сессии | «session closed» |
| Изменение аккаунта | «password changed», «new user», «delete user» |
| Действия Sudo | «sudo:… COMMAND=…», «FAILED su» |
| Сбои в работе | «failed» или «failure» |
Что искать в логах Windows
Идентификаторы событий перечислены ниже для Windows 2008 R2 и 7, Windows 2012 R2 и 8.1, Windows 2016 и 10. (В оригинальной статье используются в основном идентификаторы для Windows 2003 и раньше, которые можно получить, отняв 4096 от значений указанных ниже EventID).
Большинство событий, приведенных ниже, находятся в журнале безопасности (Windows Event Log: Security), но некоторые регистрируются только на контроллере домена.
| Тип события | EventID |
|---|---|
| События входа и выхода | Successful logon 4624; failed logon 4625; logoff 4634, 4647 и т.д. |
| Изменение аккаунта | Created 4720; enabled 4726; changed 4738; disabled 4725; deleted 630 |
| Изменение пароля | 4724, 4723 |
| Запуск и прекращение работы сервисов | 7035,7036, и т.д. |
| Доступ к объектам | 4656, 4663 |
Что искать в логах сетевых устройств
Изучите входящие и исходящие действия ваших сетевых устройств.
Примеры ниже – это выдержки из логов Cisco ASA, но другие устройства имеют схожую функциональность.
| Трафик, допущенный файерволом | «Built… connection» «access-list… permitted» |
|---|---|
| Трафик, заблокированный файерволом | «access-list… denied», «deny Inbound»; «Deny …by» |
| Объем трафика (в байтах) | «Teardown TCP connection… duration… bytes…» |
| Использование каналов и протоколов | «limit… exceeded», «CPU utilization» |
| Обнаружение атаки | «attack from» |
| Изменение аккаунта | «user added», «user deleted», «User priv level changed» |
| Доступ администратора | «AAA user…», «User… locked out», «login failed» |
Что искать в логах веб-сервера
- Чрезмерные попытки доступа к несуществующим файлам
- Код (SQL, HTML), как часть URL-адреса
- Доступ к расширениям, которые вы не устанавливали
- Сообщения об остановке/запуске/сбое веб-службы
- Доступ к «рискованным» страницам, которые принимают пользовательский ввод данных
- Код ошибки 200 (успешный запрос) на файлах, которые не принадлежат вам
- Ошибка аутентификации: Код ошибки 401,403
- Неверный запрос: Код ошибки 400
- Внутренняя ошибка сервера: Код ошибки 500
Полезные ссылки
Примеры событий Windows по каждому EventID:
EventID.Net
Справочник событий журнала безопасности Windows:
Windows Security Log Encyclopedia
Список инструментов анализа журналов:
Best Log Management Tools
Другие «шпаргалки», связанные с реагированием на инциденты безопасности в блоге одного из авторов оригинальной статьи:
IT and Information Security Cheat Sheets
Если вам интересна эта тема, то пишите комментарии, мы будем рады вам ответить. Подписывайтесь в нашу группу VK и канал Telegram, если хотите быть в курсе новых статей.
.webp?w=1068&resize=1068,0&ssl=1 "Windows Event Log Analysis – Complete Incident Response Guide")
Windows event logging provides detailed information like source, username, computer, type of event, and level, and shows a log of application and system messages, including errors, information messages, and warnings.
Microsoft has to keep increasing the efficiency and effectiveness of its auditing facilities over the years. Modern Windows systems can log vast amounts of information with minimal system impact.
Configuring adequate logging on Windows systems, and ideally aggregating those logs into a SIEM or other log aggregator, is a critical step toward ensuring that your environment is able to support effective incident response using Incident response tools.
.png)
Also Read: SIEM Better Visibility for SOC Analyst
Event Log Format
Modern Windows systems store logs in the %SystemRoot%\System32\winevt\logs directory by default in the binary XML Windows Event Logging format, designated by the .evtx extension. Logs can also be stored remotely using log subscriptions.
Events can be logged in the Security, System and Application event logs or, on modern Windows systems, they may also appear in several other log files. The Setup event log records activities that occurred during the installation of Windows.
The Forwarded Logs event log is the default location to record events received from other systems. But there are also many additional logs, listed under Applications and Services Logs in Event Viewer, that record details related to specific types of activities.
- Log Name: The name of the Event Log where the event is stored. Useful when processing numerous logs pulled from the same system.
- Source: The service, Microsoft component or application that generated the event.
- Event ID: A code assigned to each type of audited activity.
- Level: The severity assigned to the event in question.
- User: The user account involved in triggering the activity or the user context that the source was running as when it logged the event. Note that this field often indicates “System” or a user that is not the cause of the event being recorded.
- OpCode: Assigned by the source generating the log. It’s meaning is left to the source.
- Logged: The local system date and time when the event was logged.
- Task Category: Assigned by the source generating the log. It’s meaning is left to the source.
- Keywords: Assigned by the source and used to group or sort events.
- Computer: The computer on which the event was logged. This is useful when examining logs collected from multiple systems, but should not be considered to be the device that caused an event (such as when a remote logon is initiated, the Computer field will still show the name of the system logging the event, not the source of the connection).
- Description: A text block where additional information specific to the event being logged is recorded. This is often the most significant field for the analyst.
- Account Management Events
- Account Logon and Logon Events
- Common Event ID 4768 result codes
- Logon event type code descriptions
- Common logon failure status codes
- Access to Shared Objects
- Scheduled Task Logging
- Object Access Auditing
- Audit Policy Changes
- Auditing Windows Services
- Wireless LAN Auditing
- Process Tracking
- Additional Program Execution Logging
- Auditing PowerShell Use
Account Management Events
The following events will be recorded on the system where the account was created or modified, which will be the local system for a local account or a domain controller for a domain account.
| Event ID | Description |
| 4720 | A user account was created. |
| 4722 | A user account was enabled. |
| 4723 | A user attempted to change an account’s password. |
| 4724 | An attempt was made to reset an account’s password. |
| 4725 | A user account was disabled. |
| 4726 | A user account was deleted. |
| 4727 | A security-enabled global group was created. |
| 4728 | A member was added to a security-enabled global group. |
| 4729 | A member was removed from a security-enabled global group. |
| 4730 | A security-enabled global group was deleted. |
| 4731 | A security-enabled local group was created. |
| 4732 | A member was added to a security-enabled local group. |
| 4733 | A member was removed from a security-enabled local group. |
| 4734 | A security-enabled local group was deleted. |
| 4735 | A security-enabled local group was changed. |
| 4737 | A security-enabled global group was changed. |
| 4738 | A user account was changed. |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
| 4754 | A security-enabled universal group was created. |
| 4755 | A security-enabled universal group was changed. |
| 4756 | A member was added to a security-enabled universal group. |
| 4757 | A member was removed from a security-enabled universal group. |
| 4758 | A security-enabled universal group was deleted. |
| 4798 | A user’s local group membership was enumerated. Large numbers of these events may be indicative of adversary account enumeration. |
| 4799 | A security-enabled local group membership was enumerated. Large numbers of these events may be indicative of adversary group enumeration. |
Account Logon and Logon Events
Account Logon is the Microsoft term for authentication. Logon is the term used to refer to an account gaining access to a resource. Both Account Logon and Logon events will be recorded in the Security event log. Authentication (account logon) of domain accounts is performed by a domain controller within a Windows network. Local accounts (those that exist within a local SAM file rather than as a part of Active Directory) are authenticated by the local system where they exist. Account logon events will be logged by the system that performs the authentication. Auditing of Account Logon and Logon events is easily set by Group Policy. While Microsoft continues to enable more logging by default as new versions of Windows are released, administrators should review their audit policies on a regular basis to ensure that all systems are generating adequate logs. The ability to store event logs on remote systems (either using the native Microsoft remote logging features or third-party SIEM tools or other tools) helps safeguard logs from alteration or destruction.
Event IDs of particular interest on domain controllers, which authenticate domain users, include:
| Event ID | Description |
| 4768 | The successful issuance of a TGT shows that a user account was authenticated by the domain controller. The Network Information section of the event description contains additional information about the remote host in the event of a remote logon attempt. The Keywords field indicates whether the authentication attempt was successful or failed. In the event of a failed authentication attempt, the result code in the event description provides additional information about the reason for the failure, as specified in RFC 4120. Some of the more commonly encountered codes are: |
Common Event ID 4768 Result Codes
| Decimal | Hex | Meaning |
| 6 | 0x6 | Username not valid. |
| 12 | 0xC | Policy restriction prohibiting this logon (such as a workstation restriction or time-of-day restriction). |
| 18 | 0x12 | The account is locked out, disabled, or expired. |
| 23 | 0x17 | The account’s password is expired. |
| 24 | 0x18 | The password is incorrect. |
| 32 | 0x20 | The ticket has expired (common on computer accounts). |
| 37 | 0x25 | The clock skew is too great. |
Source: Microsoft
| Event ID | Description |
| 4769 | A service ticket was requested by a user account for a specified resource. This event description shows the source IP of the system that made the request, the user account used, and the service to be accessed. These events provide a useful source of evidence as they track authenticated user access across the network. |
| 4770 | A service ticket was renewed. The account name, service name, client IP address, and encryption type are recorded. |
| 4771 | Depending on the reason for a failed Kerberos logon, either Event ID 4768 or Event ID 4771 is created. In either case, the result code in the event description provides additional information about the reason for the failure. |
| 4776 | This event ID is recorded for NTLM authentication attempts. The Network Information section of the event description contains additional information about the remote host in the event of a remote logon attempt. The Keywords field indicates whether the authentication attempt succeeded or failed. |
Common Event ID 4776 Error Code Descriptions
| Error Code | Meaning |
| 0xC0000064 | The username is incorrect. |
| 0xC000006A | The password is incorrect. |
| 0xC000006D | Generic logon failure. Possibly bad username or password or mismatch in the LAN Manager Authentication Level between the source and target computers. |
| 0xC000006F | Account logon outside authorized hours. |
| 0xC0000070 | Account logon from unauthorized workstation. |
| 0xC0000071 | Account logon with expired password. |
| 0xC0000072 | Account logon to account disabled by administrator. |
| 0xC0000193 | Account logon with expired account. |
| 0xC0000224 | Account logon with Change Password At Next Logon flagged. |
| 0xC0000234 | Account logon with account locked. |
| 0xc0000371 | The local account store does not contain secret material for the specified account. |
Source: Microsoft
On systems being accessed, Event IDs of note include:
| Event ID | Description |
| 4624 | A logon to a system has occurred. Type 2 indicates an interactive (usually local) logon, whereas a Type 3 indicates a remote or network logon. The event description will contain information about the host and account name involved. For remote logons, focus on the Network Information section of the event description for remote host information. |
Logon events contain a Type code in the event description:
Logon events contain a Type code in the event description:
Logon Event Type Code Descriptions
| Logon Type | Description |
| 2 | Interactive, such as logon at keyboard and screen of the system, or remotely using third-party remote access tools like VNC, or psexec with the -u switch. Logons of this type will cache the user’s credentials in RAM for the duration of the session and may cache the user’s credentials on disk. |
| 3 | Network, such as access to a shared folder on this computer from elsewhere on the network. This represents a noninteractive logon, which does not cache the user’s credentials in RAM or on disk. |
| 4 | Batch (indicating a scheduled task). Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service indicates that a service was started by the Service Control Manager. |
| 7 | Unlock indicates that an unattended workstation with a password protected screen is unlocked |
| 8 | NetworkCleartext indicates that a user logged on to this computer from the network and the user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). Most often indicates a logon to Internet Information Services (IIS) with basic authentication. |
| 9 | NewCredentials indicates that a user logged on with alternate credentials to perform actions such as with RunAs or mapping a network drive. If you want to track users attempting to log on with alternate credentials, also look for Event ID 4648. |
| 10 | RemoteInteractive indicates that Terminal Services, Remote Desktop, or Remote Assistance for an interactive logon. See the note on RDP at the end of this section for more details. |
| 11 | CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network). The domain controller was not contacted to verify the credential, so no account logon entry is generated. |
| Event ID | Description |
| 4625 | A failed logon attempt. Large numbers of these throughout a network may be indicative of password guessing or password spraying attacks. Again, the Network Information section of the event description can provide valuable information about a remote host attempting to log on to the system. Note that failed logons over RDP may log as Type 3 rather than Type 10, depending on the systems involved. You can determine more about the reason for the failure by consulting the Failure Information section of the event description. |
The status code found in Event ID 4625 provides additional details about the event:
Common Logon Failure Status Codes
| Status code | Description |
| 0XC000005E | Currently no logon servers are available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account. |
| 0xC000006A | User logon with misspelled or bad password. |
| 0XC000006D | This is either due to a bad username or incorrect authentication information. |
| 0XC000006E | Unknown username or bad password. |
| 0xC000006F | User logon outside authorized hours. |
| 0xC0000070 | User logon from unauthorized workstation. |
| 0xC0000071 | User logon with expired password. |
| 0xC0000072 | User logon to account disabled by administrator. |
| 0XC00000DC | Indicates the Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between domain controller and other computer too far out of sync. |
| 0XC000015B | The user has not been granted the requested logon type (also known as logon right) at this machine. |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to log on, but the Netlogon service was not started. |
| 0xC0000193 | User logon with expired account. |
| 0XC0000224 | User is required to change password at next logon. |
| 0XC0000225 | Evidently a bug in Windows and not a risk. |
| 0xC0000234 | User logon with account locked. |
| 0XC00002EE | Failure Reason: An error occurred during logon. |
| 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| Event ID | Description |
| 4634/4647 | User logoff is recorded by Event ID 4634 or Event ID 4647. The lack of an event showing a logoff should not be considered overly suspicious, as Windows is inconsistent in logging Event ID 4634 in many cases. The Logon ID field can be used to tie the Event ID 4624 logon event with the associated logoff event (the Logon ID is unique between reboots on the same computer). |
| 4648 | A logon was attempted using explicit credentials. When a user attempts to use credentials other than the ones used for the current logon session (including bypassing User Account Control [UAC] to open a process with administrator permissions), this event is logged. |
| 4672 | This event ID is recorded when certain privileges associated with elevated or administrator access are granted to a logon. As with all logon events, the event log will be generated by the system being accessed. |
| 4778 | This event is logged when a session is reconnected to a Windows station. This can occur locally when the user context is switched via fast user switching. |
| 4779 | This event is logged when a session is disconnected. This can occur locally when the user context is switched via fast user switching. It can also occur when a session is reconnected over RDP. A full logoff from an RDP session is logged with Event ID 4637 or 4647 as mentioned earlier. |
Attackers frequently leverage valid credentials to remotely access data through user created or administrative shares. Doing so will generate Account Logon and Logon events as mentioned above, but additional logging can also be enabled in the Group Policy Management Console by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit File Share. Once enabled, the following Event IDs will be logged in the Security Log:
| Event ID | Description |
| 5140 | A network share object was accessed. The event entry provides the account name and source address of the account that accessed the object. Note that this entry will show that the share was accessed but not what files in the share were accessed. A large number of these events from a single account may be an indicator of an account being used to harvest or map data on the network. |
| 5142 | A network share object was added. |
| 5143 | A network share object was modified. |
| 5144 | A network share object was deleted. |
| 5145 | A network share object was checked to see whether client can be granted desired access. Failure is only logged if the permission is denied at the file share level. If permission is denied at the NTFS level then no entry is recorded. |
If detailed file share auditing is enabled in the Group Policy Management Console by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit Detailed File Share, then each file within each share that is accessed will generate an Event ID 5145 log entry. As you can imagine, this level of logging may generate a large volume of results.
The system initiating the access may also show evidence of the connections in the registry key NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2.
Scheduled Task Logging
If history is enabled in the Task Scheduler application, through Event Viewer, or with the wevtutil command (see here for more details), then the %SystemRoot%\System32\winevt\Logs\Microsoft-Windows- TaskScheduler%4Operational log will record activity relating to scheduled tasks on the local system as follows:
Scheduled Task Activity Event IDs
| Event ID | Description |
| 106 | Scheduled Task Created. The entry shows the user account that scheduled the task and the name the user assigned to the task. The Logged date and time show when the task was scheduled. Look for the associated Event ID 200 and 201 for additional information. |
| 140 | Scheduled Task Updated. The entry shows the user account that updated the task and the name of the task. The Logged date and time show when the task was updated. Look for the associated Event ID 200 and 201 for additional information. |
| 141 | Scheduled Task Deleted. The entry shows the user account that deleted the task and the name of the task. |
| 200 | Scheduled Task Executed. Shows the task name and the full path to the executable on disk that was run (listed as the Action). Correlate this with the associated Event ID 106 to determine the user account that scheduled the task. |
| 201 | Scheduled Task Completed. Shows the task name and the full path to the executable on disk that was run (listed as the Action). Correlate this with the associated Event ID 106 to determine the user account that scheduled the task. |
Also, see the Object Access Auditing section for additional Event IDs that may be recorded in relation to scheduled tasks.
Object Access Auditing
Object access auditing is not enabled by default but should be enabled on sensitive systems. To do so, simply set use the Local Security Policy to set Security Settings -> Local Policies -> Audit Policy -> Audit object access to Enabled for Success and Failure.
Object access audit events are stored in the Security log. If object access auditing is enabled, scheduled tasks get additional logging. The Event IDs related to scheduled tasks are:
Scheduled Task Event IDs
| Event ID | Description |
| 4698 | A scheduled task was created. The event description contains the user account that created the task in the Subject section. XML details of the scheduled task are also recorded in the event description under the Task Description section and includes the Task Name. |
| 4699 | A scheduled task was deleted. The Subject section of the event description contains the Account Name that deleted the task as well as the Task Name. |
| 4700 | A scheduled task was enabled. See Event ID 4698 for additional details. |
| 4701 | A scheduled task was disabled. See Event ID 4698 for additional details. |
| 4702 | A scheduled task was updated. The user who initiated the update appears in the Subject section of the event description. The details of the task after its modification are listed in the XML in the event description. Compare with previous Event ID 4702 or 4698 entries for this task to determine what changes were made. See Event ID 4698 for additional details. |
Aside from scheduled tasks, individual file objects are frequently audited for object access. In addition to enabling the option for Success and/or Failure for Audit Object Access as mentioned earlier, to audit access to individual files or folders you also need to explicitly set the auditing rules in the file or folder’s Properties
dialog box by selecting the Security tab, clicking Advanced, selecting the Auditing tab, and setting the type of audit and the user account(s) for which auditing should be set. Detailed instructions can be found here:
For a process to use a system object, such as a file, it must obtain a handle to that object. Once auditing is enabled, the event IDs described below can be used to view access to important files and folders by tracking the issuance and use of handles to those objects.
Object Handle Event IDs
| Event ID | Description |
| 4656 | A handle to an object was requested. When a process attempts to gain a handle to an audited object, this event is created. The details of the object to which the handle was requested and the handle ID assigned to the handle are listed in the Object section of the event description. |
| 4657 | A registry value was modified. The user account and process responsible for opening the handle are listed in the event description. . |
| 4658 | The handle to an object was closed. The user account and process responsible for opening the handle are listed in the event description. To determine the object itself, refer to the preceding Event ID 4656 with the same Handle ID. |
| 4660 | An object was deleted. The user account and process responsible for opening the handle are listed in the event description. To determine the object itself, refer to the preceding Event ID 4656 with the same Handle ID. |
| 4663 | An attempt was made to access an object. This event is logged when a process attempts to interact with an object, rather than just obtain a handle to the object. This can be used to help determine what types of actions may have been taken on an object (for example, read only or modify data). See Event ID 4656 for additional details. |
Since Windows 8/Server 2012, additional logging can also be enabled in the Group Policy Management Console by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit Removeable Storage. Once enabled, Windows will create additional Event ID 4663 entries (see above) whenever an account access a file system object that is on removable storage. This can help identify when users are copying data to or from external media.
Audit Policy Changes
When audit policy changes, it impacts the evidence available to investigators and incident handlers, whether the change was done maliciously by an attacker or legitimately by an administrator. Fortunately, modern Windows systems do a good job of logging these changes when they occur. The Event ID used for this auditing is 4719:
- 4719 – System audit policy was changed. The Audit Policy Change section will list the specific changes that were made to the audit policy. The Subject section of the event description may show the account that made the change, but often (such as when the change is made through Group Policy) this section simply reports the name of the local system.
- 1102 – Regardless of the settings in the audit policy, if the Security event log is cleared, Event ID 1102 will be recorded as the first entry in the new, blank log. You can tell the name of the user account that cleared the log in the details of the entry. A similar event, with ID 104, is generated in the System log if it is cleared.
Auditing Windows Services
Many attacks rely on Windows services either for executing commands remotely or for maintaining persistence on systems. While most of the events we have mentioned so far have been found in the Security Event Log, Windows records events related to starting and stopping of services in the System Event Log. The following events are often noteworthy:
- 6005 – The event log service was started. This will occur at system boot time, and whenever the system is manually started. Since the event log service is critical for security, it gets is own Event ID.
- 6006 – The event log service was stopped. While this obviously occurs at system shutdown or restart, its occurrence at other times may be indicative of malicious attempts to avoid logging of the activity or to modify the logs.
- 7034 – A service terminated unexpectedly. The event description will display the name of the services and may display the number of times that this service has crashed.
- 7036 – A service was stopped or started. While the event log service has its own Event ID, other services are logged under the same Event ID.
- 7040- The start type for a service was changed. The event description will display the name of the service that was changed and describe the change that was made.
- 7045 – A service was installed by the system. The name of the service is found in the Service Name field of the event description, and the full path to the associated executable is found in the Service File Name field. This can be a particularly important event as many tools, such as psexec, create a service on the remote system to execute commands.
If you have enabled Advanced Audit Policy Configuration > System Audit Policies > System > Audit Security System Extension in your GPOs, Windows 10 and Server 2016/2019 systems will also record Event ID 4697 in the Security event log.
Wireless LAN Auditing
Windows maintains an event log dedicated to wireless local area network (WLAN) activity, and with rogue access points being a common attack vector for man-in-the-middle and malware attacks, it may be worth looking at unusual connections on devices with Wi-Fi capability, particularly those allowed to leave your environment. The log is located at %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-WLAN- AutoConfig%4Operational.evtx. Event IDs of interest are:
Wi-Fi Connection Event IDs
| Event ID | Description |
| 8001 | WLAN service has successfully connected to a wireless network. The event description provides the Connection Mode indicating if this was an automatic connection based on a configured profile (and the associated Profile Name) or a manual connection. The SSID of the access point, its authentication mechanism, and its encryption mechanism are also recorded. |
| 8002 | WLAN service failed to connect to a wireless network. Once again, the event description will contain the Connection Mode, associated Profile Name, and the SSID along with a Failure Reason field. |
Process Tracking
Unlike many Linux shells (such as bash) the Windows cmd.exe shell does not maintain a history of commands run by users. This has created a noticeable gap in the ability of incident handlers to understand the actions that an attacker takes on a compromised host. The rise of “Living of the Land” attacks that do not rely on malware but instead use built-in Windows commands has only made this blind spot more damaging. While in the early days of Windows, auditing process creation was considered far too system
While not always required on every system, enabling this feature on key systems is increasingly becoming standard practice in security-conscious environments. This requires setting two separate Group Policy settings. The first is of course Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit process tracking. Once enabled, Event ID 4688 in the Security log provides a wealth of information regarding processes that have been run on the system:
| Event ID | Description |
| 4688 | A new process has been created. The event description provides the Process ID and Process Name, Creator Process ID, Creator Process Name, and Process Command Line (if enabled separately, as outlined earlier in this section). |
In addition the Event ID 4688, activation of process tracking may also result in additional Security log entries from the Windows Filtering Platform related to network connections and listening ports as follows:
Windows Filtering Platform (WFP) Event IDs
| Event ID | Description |
| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
| 5152 | The WFP blocked a packet. |
| 5154 | The WFP has permitted an application or service to listen on a port for incoming connections. |
| 5156 | The WFP has allowed a connection. |
| 5157 | The WFP has blocked a connection. |
| 5158 | The WFP has permitted a bind to a local port. |
| 5159 | The WFP has blocked a bind to a local port. |
The event descriptions of the Windows Filtering Platform events are self explanatory and detailed, including information about the local and remote IPs and port numbers as well as the Process ID and Process Name involved.
As can be seen, the information logged by enabling process tracking auditing can be of immense value, but can also generate a large amount of data. Experiment with your test environment to come up with a balance that can appropriately increase security auditing in your production environment.
Additional Program Execution Logging
If AppLocker is configured in your environment (a step that can help frustrate an adversary and should be considered), dedicated AppLocker event logs will be generated as well. Presented in Event Viewer under Application and Services Logs\Microsoft\Windows\AppLocker, these event logs are stored with the other event logs in C:\Windows\System32\winevt\Logs and have names such as Microsoft-Windows- AppLocker%4EXE and DLL.evtx. There are separate logs covering executables and dynamic-link libraries (DLLs), Microsoft installers (MSI) and scripts, packaged app deployment, and packaged app execution. The event logs generated will vary depending on whether AppLocker is set to audit-only mode or blocking mode. Details of the specific event IDs that may apply to your situation can be found at here.
Windows Defender Suspicious Event IDs
| Event ID | Description |
| 1006 | The antimalware engine found malware or other potentially unwanted software. |
| 1007 | The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. |
| 1008 | The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. |
| 1013 | The antimalware platform deleted history of malware and other potentially unwanted software. |
| 1015 | The antimalware platform detected suspicious behavior. |
| 1116 | The antimalware platform detected malware or other potentially unwanted software. |
| 1117 | The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. |
| 1118 | The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. |
| 1119 | The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. |
| 5001 | Real-time protection is disabled. |
| 5004 | The real-time protection configuration changed. |
| 5007 | The antimalware platform configuration changed. |
| 5010 | Scanning for malware and other potentially unwanted software is disabled. |
| 5012 | Scanning for viruses is disabled. |
Additional details on Windows Defender event log records can be found here.
Windows exploit protection is a feature of Windows 10 that can provide excellent defense against a range of adversary exploitation techniques. This feature can protect both the operating system and individual applications from common attack vectors, blocking the exploitation when it otherwise would have resulted in system compromise. Although some features of exploit protection are enabled by default, many are disabled due to their potential to interfere with legitimate software. When enabled, this feature logs its activities in the C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security- Mitigations%4KernelMode.evtx and Microsoft-Windows-Security-Mitigations%4UserMode.evtx log files.
More details can be found here.
Another option to enhance visibility into processes that run on systems in your environment is to implement Sysmon, a free utility by Sysinternals, which is now a part of Microsoft. Sysmon can be freely downloaded here.
When deployed on a system, Sysmon installs as a system service and device driver to generate event logs related to processes, network connections, and modifications to file creation times. It creates a new category of logs that are presented in Event Viewer under Applications and Services Logs\Microsoft\Windows\Sysmon\Operational and is stored in C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx. An example of useful event IDs generated by Sysmon include:
Event IDs Generated by Sysmon
| Event ID | Description |
| 1 | Process creation (includes many details such as process ID, path to executable, hash of executable, command line used to launch, user account used to launch, parent process ID, path and command line for parent executable, and more). |
| 2 | A process changed a file creation time. |
| 3 | Network connection. |
| 4 | Sysmon service state changed. |
| 5 | Process terminated. |
| 6 | Driver loaded. |
| 7 | Image loaded (records when a module is loaded in a specific process). |
| 8 | CreateRemoteThread (creating a thread in another process). |
| 9 | RawAccessRead (raw access to drive data using \\.\ notation). |
| 10 | ProcessAccess (opening access to another process’s memory space). |
| 11 | FileCreate (creating or overwriting a file). |
| 12 | Registry key or value created or deleted. |
| 13 | Registry value modification. |
| 14 | Registry key or value renamed. |
| 15 | FileCreateStreamHash (creation of an alternate data stream). |
| 16 | Sysmon configuration change. |
| 17 | Named pipe created. |
| 18 | Named pipe connected. |
| 19 | WMIEventFilter activity detected. |
| 20 | WMIEventConsumer activity detected. |
| 21 | WMIEventConsumerToFilter activity detected. |
| 22 | DNS query event (Windows 8 and later) |
| 255 | Sysmon error |
Auditing PowerShell Use
Microsoft continues to increase the amount of logs available surrounding PowerShell to help combat its nefarious use. Once again, these logging facilities must be enabled via Group Policy, specifically at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell. There are three basic categories of logging that may be available, depending on the version of Windows in question.
- Module Logging
- Logs pipeline execution events;
- Logs to event logs.
- Script Block Logging
- Captures de-obfuscated commands sent to PowerShell;
- Captures the commands only, not the resulting output;
- Logs to event logs.
- Transcription
- Captures PowerShell input and output;
- Will not capture output of outside programs that are run, only PowerShell;
- Logs to text files in user specified location.
Once enabled, these logs can provide a wealth of information concerning the use of PowerShell on your systems. If you routinely run lots of PowerShell scripts, this can produce a large volume of data, so be sure to test and tune the audit facilities to strike a balance between visibility and load before deploying such changes in production.
PowerShell event log entries appear in different event logs. Inside of %SystemRoot%\System32\winevt\ Logs\Microsoft-Windows-PowerShell%4Operational.evtx you will find two events of particular note:
| Event ID | Description |
| 4103 | Shows pipeline execution from the module logging facility. Includes the user context used to run the commands. Hostname field will contain Console if executed locally or will show if run from a remote system. |
| 4104 | Shows script block logging entries. Captures the commands sent to PowerShell, but not the output. Logs full details of each block only on first use to conserve space. Will show as a Warning level event if Microsoft deems the activity Suspicious. |
Additional entries can be found in the %SystemRoot%\System32\winevt\Logs\Windows PowerShell.evtx log:
| Event ID | Description |
| 400 | Indicates the start of command execution or session. Hostname field shows if (local) Console or the remote session that caused the execution. |
| 800 | Shows pipeline execution details. UserID shows account used. Hostname field shows if (local) Console or the remote session that caused the execution. Since many malicious scripts encode options with Base64, check the HostApplication field for options encoded with the -enc or -EncodedCommand parameter. |
Remember that PowerShell Remoting requires authenticated access, so look for the associated Account Logon and Logon events as well.
Author Credits: Forward Defence
Also Read
- Top 10 Best Open Source Intelligence Tools (OSINT Tools)
- Top 10 Cyber Attack Maps to See Digital Threats
- Top 10 SMTP Test Tools
- 10 Best Advanced Endpoint Security Tools
- Top 10 Best SysAdmin Tools
| Windows |
1100 |
The event logging service has shut down |
| Windows |
1101 |
Audit events have been dropped by the transport. |
| Windows |
1102 |
The audit log was cleared |
| Windows |
1104 |
The security Log is now full |
| Windows |
1105 |
Event log automatic backup |
| Windows |
1108 |
The event logging service encountered an error |
| Windows |
4608 |
Windows is starting up |
| Windows |
4609 |
Windows is shutting down |
| Windows |
4610 |
An authentication package has been loaded by the Local Security Authority |
| Windows |
4611 |
A trusted logon process has been registered with the Local Security Authority |
| Windows |
4612 |
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
| Windows |
4614 |
A notification package has been loaded by the Security Account Manager. |
| Windows |
4615 |
Invalid use of LPC port |
| Windows |
4616 |
The system time was changed. |
| Windows |
4618 |
A monitored security event pattern has occurred |
| Windows |
4621 |
Administrator recovered system from CrashOnAuditFail |
| Windows |
4622 |
A security package has been loaded by the Local Security Authority. |
| Windows |
4624 |
An account was successfully logged on |
| Windows |
4625 |
An account failed to log on |
| Windows |
4626 |
User/Device claims information |
| Windows |
4627 |
Group membership information. |
| Windows |
4634 |
An account was logged off |
| Windows |
4646 |
IKE DoS-prevention mode started |
| Windows |
4647 |
User initiated logoff |
| Windows |
4648 |
A logon was attempted using explicit credentials |
| Windows |
4649 |
A replay attack was detected |
| Windows |
4650 |
An IPsec Main Mode security association was established |
| Windows |
4651 |
An IPsec Main Mode security association was established |
| Windows |
4652 |
An IPsec Main Mode negotiation failed |
| Windows |
4653 |
An IPsec Main Mode negotiation failed |
| Windows |
4654 |
An IPsec Quick Mode negotiation failed |
| Windows |
4655 |
An IPsec Main Mode security association ended |
| Windows |
4656 |
A handle to an object was requested |
| Windows |
4657 |
A registry value was modified |
| Windows |
4658 |
The handle to an object was closed |
| Windows |
4659 |
A handle to an object was requested with intent to delete |
| Windows |
4660 |
An object was deleted |
| Windows |
4661 |
A handle to an object was requested |
| Windows |
4662 |
An operation was performed on an object |
| Windows |
4663 |
An attempt was made to access an object |
| Windows |
4664 |
An attempt was made to create a hard link |
| Windows |
4665 |
An attempt was made to create an application client context. |
| Windows |
4666 |
An application attempted an operation |
| Windows |
4667 |
An application client context was deleted |
| Windows |
4668 |
An application was initialized |
| Windows |
4670 |
Permissions on an object were changed |
| Windows |
4671 |
An application attempted to access a blocked ordinal through the TBS |
| Windows |
4672 |
Special privileges assigned to new logon |
| Windows |
4673 |
A privileged service was called |
| Windows |
4674 |
An operation was attempted on a privileged object |
| Windows |
4675 |
SIDs were filtered |
| Windows |
4688 |
A new process has been created |
| Windows |
4689 |
A process has exited |
| Windows |
4690 |
An attempt was made to duplicate a handle to an object |
| Windows |
4691 |
Indirect access to an object was requested |
| Windows |
4692 |
Backup of data protection master key was attempted |
| Windows |
4693 |
Recovery of data protection master key was attempted |
| Windows |
4694 |
Protection of auditable protected data was attempted |
| Windows |
4695 |
Unprotection of auditable protected data was attempted |
| Windows |
4696 |
A primary token was assigned to process |
| Windows |
4697 |
A service was installed in the system |
| Windows |
4698 |
A scheduled task was created |
| Windows |
4699 |
A scheduled task was deleted |
| Windows |
4700 |
A scheduled task was enabled |
| Windows |
4701 |
A scheduled task was disabled |
| Windows |
4702 |
A scheduled task was updated |
| Windows |
4703 |
A token right was adjusted |
| Windows |
4704 |
A user right was assigned |
| Windows |
4705 |
A user right was removed |
| Windows |
4706 |
A new trust was created to a domain |
| Windows |
4707 |
A trust to a domain was removed |
| Windows |
4709 |
IPsec Services was started |
| Windows |
4710 |
IPsec Services was disabled |
| Windows |
4711 |
PAStore Engine (1%) |
| Windows |
4712 |
IPsec Services encountered a potentially serious failure |
| Windows |
4713 |
Kerberos policy was changed |
| Windows |
4714 |
Encrypted data recovery policy was changed |
| Windows |
4715 |
The audit policy (SACL) on an object was changed |
| Windows |
4716 |
Trusted domain information was modified |
| Windows |
4717 |
System security access was granted to an account |
| Windows |
4718 |
System security access was removed from an account |
| Windows |
4719 |
System audit policy was changed |
| Windows |
4720 |
A user account was created |
| Windows |
4722 |
A user account was enabled |
| Windows |
4723 |
An attempt was made to change an account’s password |
| Windows |
4724 |
An attempt was made to reset an accounts password |
| Windows |
4725 |
A user account was disabled |
| Windows |
4726 |
A user account was deleted |
| Windows |
4727 |
A security-enabled global group was created |
| Windows |
4728 |
A member was added to a security-enabled global group |
| Windows |
4729 |
A member was removed from a security-enabled global group |
| Windows |
4730 |
A security-enabled global group was deleted |
| Windows |
4731 |
A security-enabled local group was created |
| Windows |
4732 |
A member was added to a security-enabled local group |
| Windows |
4733 |
A member was removed from a security-enabled local group |
| Windows |
4734 |
A security-enabled local group was deleted |
| Windows |
4735 |
A security-enabled local group was changed |
| Windows |
4737 |
A security-enabled global group was changed |
| Windows |
4738 |
A user account was changed |
| Windows |
4739 |
Domain Policy was changed |
| Windows |
4740 |
A user account was locked out |
| Windows |
4741 |
A computer account was created |
| Windows |
4742 |
A computer account was changed |
| Windows |
4743 |
A computer account was deleted |
| Windows |
4744 |
A security-disabled local group was created |
| Windows |
4745 |
A security-disabled local group was changed |
| Windows |
4746 |
A member was added to a security-disabled local group |
| Windows |
4747 |
A member was removed from a security-disabled local group |
| Windows |
4748 |
A security-disabled local group was deleted |
| Windows |
4749 |
A security-disabled global group was created |
| Windows |
4750 |
A security-disabled global group was changed |
| Windows |
4751 |
A member was added to a security-disabled global group |
| Windows |
4752 |
A member was removed from a security-disabled global group |
| Windows |
4753 |
A security-disabled global group was deleted |
| Windows |
4754 |
A security-enabled universal group was created |
| Windows |
4755 |
A security-enabled universal group was changed |
| Windows |
4756 |
A member was added to a security-enabled universal group |
| Windows |
4757 |
A member was removed from a security-enabled universal group |
| Windows |
4758 |
A security-enabled universal group was deleted |
| Windows |
4759 |
A security-disabled universal group was created |
| Windows |
4760 |
A security-disabled universal group was changed |
| Windows |
4761 |
A member was added to a security-disabled universal group |
| Windows |
4762 |
A member was removed from a security-disabled universal group |
| Windows |
4763 |
A security-disabled universal group was deleted |
| Windows |
4764 |
A groups type was changed |
| Windows |
4765 |
SID History was added to an account |
| Windows |
4766 |
An attempt to add SID History to an account failed |
| Windows |
4767 |
A user account was unlocked |
| Windows |
4768 |
A Kerberos authentication ticket (TGT) was requested |
| Windows |
4769 |
A Kerberos service ticket was requested |
| Windows |
4770 |
A Kerberos service ticket was renewed |
| Windows |
4771 |
Kerberos pre-authentication failed |
| Windows |
4772 |
A Kerberos authentication ticket request failed |
| Windows |
4773 |
A Kerberos service ticket request failed |
| Windows |
4774 |
An account was mapped for logon |
| Windows |
4775 |
An account could not be mapped for logon |
| Windows |
4776 |
The domain controller attempted to validate the credentials for an account |
| Windows |
4777 |
The domain controller failed to validate the credentials for an account |
| Windows |
4778 |
A session was reconnected to a Window Station |
| Windows |
4779 |
A session was disconnected from a Window Station |
| Windows |
4780 |
The ACL was set on accounts which are members of administrators groups |
| Windows |
4781 |
The name of an account was changed |
| Windows |
4782 |
The password hash an account was accessed |
| Windows |
4783 |
A basic application group was created |
| Windows |
4784 |
A basic application group was changed |
| Windows |
4785 |
A member was added to a basic application group |
| Windows |
4786 |
A member was removed from a basic application group |
| Windows |
4787 |
A non-member was added to a basic application group |
| Windows |
4788 |
A non-member was removed from a basic application group.. |
| Windows |
4789 |
A basic application group was deleted |
| Windows |
4790 |
An LDAP query group was created |
| Windows |
4791 |
A basic application group was changed |
| Windows |
4792 |
An LDAP query group was deleted |
| Windows |
4793 |
The Password Policy Checking API was called |
| Windows |
4794 |
An attempt was made to set the Directory Services Restore Mode administrator password |
| Windows |
4797 |
An attempt was made to query the existence of a blank password for an account |
| Windows |
4798 |
A user’s local group membership was enumerated. |
| Windows |
4799 |
A security-enabled local group membership was enumerated |
| Windows |
4800 |
The workstation was locked |
| Windows |
4801 |
The workstation was unlocked |
| Windows |
4802 |
The screen saver was invoked |
| Windows |
4803 |
The screen saver was dismissed |
| Windows |
4816 |
RPC detected an integrity violation while decrypting an incoming message |
| Windows |
4817 |
Auditing settings on object were changed. |
| Windows |
4818 |
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |
| Windows |
4819 |
Central Access Policies on the machine have been changed |
| Windows |
4820 |
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions |
| Windows |
4821 |
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions |
| Windows |
4822 |
NTLM authentication failed because the account was a member of the Protected User group |
| Windows |
4823 |
NTLM authentication failed because access control restrictions are required |
| Windows |
4824 |
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group |
| Windows |
4825 |
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group |
| Windows |
4826 |
Boot Configuration Data loaded |
| Windows |
4830 |
SID History was removed from an account |
| Windows |
4864 |
A namespace collision was detected |
| Windows |
4865 |
A trusted forest information entry was added |
| Windows |
4866 |
A trusted forest information entry was removed |
| Windows |
4867 |
A trusted forest information entry was modified |
| Windows |
4868 |
The certificate manager denied a pending certificate request |
| Windows |
4869 |
Certificate Services received a resubmitted certificate request |
| Windows |
4870 |
Certificate Services revoked a certificate |
| Windows |
4871 |
Certificate Services received a request to publish the certificate revocation list (CRL) |
| Windows |
4872 |
Certificate Services published the certificate revocation list (CRL) |
| Windows |
4873 |
A certificate request extension changed |
| Windows |
4874 |
One or more certificate request attributes changed. |
| Windows |
4875 |
Certificate Services received a request to shut down |
| Windows |
4876 |
Certificate Services backup started |
| Windows |
4877 |
Certificate Services backup completed |
| Windows |
4878 |
Certificate Services restore started |
| Windows |
4879 |
Certificate Services restore completed |
| Windows |
4880 |
Certificate Services started |
| Windows |
4881 |
Certificate Services stopped |
| Windows |
4882 |
The security permissions for Certificate Services changed |
| Windows |
4883 |
Certificate Services retrieved an archived key |
| Windows |
4884 |
Certificate Services imported a certificate into its database |
| Windows |
4885 |
The audit filter for Certificate Services changed |
| Windows |
4886 |
Certificate Services received a certificate request |
| Windows |
4887 |
Certificate Services approved a certificate request and issued a certificate |
| Windows |
4888 |
Certificate Services denied a certificate request |
| Windows |
4889 |
Certificate Services set the status of a certificate request to pending |
| Windows |
4890 |
The certificate manager settings for Certificate Services changed. |
| Windows |
4891 |
A configuration entry changed in Certificate Services |
| Windows |
4892 |
A property of Certificate Services changed |
| Windows |
4893 |
Certificate Services archived a key |
| Windows |
4894 |
Certificate Services imported and archived a key |
| Windows |
4895 |
Certificate Services published the CA certificate to Active Directory Domain Services |
| Windows |
4896 |
One or more rows have been deleted from the certificate database |
| Windows |
4897 |
Role separation enabled |
| Windows |
4898 |
Certificate Services loaded a template |
| Windows |
4899 |
A Certificate Services template was updated |
| Windows |
4900 |
Certificate Services template security was updated |
| Windows |
4902 |
The Per-user audit policy table was created |
| Windows |
4904 |
An attempt was made to register a security event source |
| Windows |
4905 |
An attempt was made to unregister a security event source |
| Windows |
4906 |
The CrashOnAuditFail value has changed |
| Windows |
4907 |
Auditing settings on object were changed |
| Windows |
4908 |
Special Groups Logon table modified |
| Windows |
4909 |
The local policy settings for the TBS were changed |
| Windows |
4910 |
The group policy settings for the TBS were changed |
| Windows |
4911 |
Resource attributes of the object were changed |
| Windows |
4912 |
Per User Audit Policy was changed |
| Windows |
4913 |
Central Access Policy on the object was changed |
| Windows |
4928 |
An Active Directory replica source naming context was established |
| Windows |
4929 |
An Active Directory replica source naming context was removed |
| Windows |
4930 |
An Active Directory replica source naming context was modified |
| Windows |
4931 |
An Active Directory replica destination naming context was modified |
| Windows |
4932 |
Synchronization of a replica of an Active Directory naming context has begun |
| Windows |
4933 |
Synchronization of a replica of an Active Directory naming context has ended |
| Windows |
4934 |
Attributes of an Active Directory object were replicated |
| Windows |
4935 |
Replication failure begins |
| Windows |
4936 |
Replication failure ends |
| Windows |
4937 |
A lingering object was removed from a replica |
| Windows |
4944 |
The following policy was active when the Windows Firewall started |
| Windows |
4945 |
A rule was listed when the Windows Firewall started |
| Windows |
4946 |
A change has been made to Windows Firewall exception list. A rule was added |
| Windows |
4947 |
A change has been made to Windows Firewall exception list. A rule was modified |
| Windows |
4948 |
A change has been made to Windows Firewall exception list. A rule was deleted |
| Windows |
4949 |
Windows Firewall settings were restored to the default values |
| Windows |
4950 |
A Windows Firewall setting has changed |
| Windows |
4951 |
A rule has been ignored because its major version number was not recognized by Windows Firewall |
| Windows |
4952 |
Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall |
| Windows |
4953 |
A rule has been ignored by Windows Firewall because it could not parse the rule |
| Windows |
4954 |
Windows Firewall Group Policy settings has changed. The new settings have been applied |
| Windows |
4956 |
Windows Firewall has changed the active profile |
| Windows |
4957 |
Windows Firewall did not apply the following rule |
| Windows |
4958 |
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer |
| Windows |
4960 |
IPsec dropped an inbound packet that failed an integrity check |
| Windows |
4961 |
IPsec dropped an inbound packet that failed a replay check |
| Windows |
4962 |
IPsec dropped an inbound packet that failed a replay check |
| Windows |
4963 |
IPsec dropped an inbound clear text packet that should have been secured |
| Windows |
4964 |
Special groups have been assigned to a new logon |
| Windows |
4965 |
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). |
| Windows |
4976 |
During Main Mode negotiation, IPsec received an invalid negotiation packet. |
| Windows |
4977 |
During Quick Mode negotiation, IPsec received an invalid negotiation packet. |
| Windows |
4978 |
During Extended Mode negotiation, IPsec received an invalid negotiation packet. |
| Windows |
4979 |
IPsec Main Mode and Extended Mode security associations were established. |
| Windows |
4980 |
IPsec Main Mode and Extended Mode security associations were established |
| Windows |
4981 |
IPsec Main Mode and Extended Mode security associations were established |
| Windows |
4982 |
IPsec Main Mode and Extended Mode security associations were established |
| Windows |
4983 |
An IPsec Extended Mode negotiation failed |
| Windows |
4984 |
An IPsec Extended Mode negotiation failed |
| Windows |
4985 |
The state of a transaction has changed |
| Windows |
5024 |
The Windows Firewall Service has started successfully |
| Windows |
5025 |
The Windows Firewall Service has been stopped |
| Windows |
5027 |
The Windows Firewall Service was unable to retrieve the security policy from the local storage |
| Windows |
5028 |
The Windows Firewall Service was unable to parse the new security policy. |
| Windows |
5029 |
The Windows Firewall Service failed to initialize the driver |
| Windows |
5030 |
The Windows Firewall Service failed to start |
| Windows |
5031 |
The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
| Windows |
5032 |
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network |
| Windows |
5033 |
The Windows Firewall Driver has started successfully |
| Windows |
5034 |
The Windows Firewall Driver has been stopped |
| Windows |
5035 |
The Windows Firewall Driver failed to start |
| Windows |
5037 |
The Windows Firewall Driver detected critical runtime error. Terminating |
| Windows |
5038 |
Code integrity determined that the image hash of a file is not valid |
| Windows |
5039 |
A registry key was virtualized. |
| Windows |
5040 |
A change has been made to IPsec settings. An Authentication Set was added. |
| Windows |
5041 |
A change has been made to IPsec settings. An Authentication Set was modified |
| Windows |
5042 |
A change has been made to IPsec settings. An Authentication Set was deleted |
| Windows |
5043 |
A change has been made to IPsec settings. A Connection Security Rule was added |
| Windows |
5044 |
A change has been made to IPsec settings. A Connection Security Rule was modified |
| Windows |
5045 |
A change has been made to IPsec settings. A Connection Security Rule was deleted |
| Windows |
5046 |
A change has been made to IPsec settings. A Crypto Set was added |
| Windows |
5047 |
A change has been made to IPsec settings. A Crypto Set was modified |
| Windows |
5048 |
A change has been made to IPsec settings. A Crypto Set was deleted |
| Windows |
5049 |
An IPsec Security Association was deleted |
| Windows |
5050 |
An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE |
| Windows |
5051 |
A file was virtualized |
| Windows |
5056 |
A cryptographic self test was performed |
| Windows |
5057 |
A cryptographic primitive operation failed |
| Windows |
5058 |
Key file operation |
| Windows |
5059 |
Key migration operation |
| Windows |
5060 |
Verification operation failed |
| Windows |
5061 |
Cryptographic operation |
| Windows |
5062 |
A kernel-mode cryptographic self test was performed |
| Windows |
5063 |
A cryptographic provider operation was attempted |
| Windows |
5064 |
A cryptographic context operation was attempted |
| Windows |
5065 |
A cryptographic context modification was attempted |
| Windows |
5066 |
A cryptographic function operation was attempted |
| Windows |
5067 |
A cryptographic function modification was attempted |
| Windows |
5068 |
A cryptographic function provider operation was attempted |
| Windows |
5069 |
A cryptographic function property operation was attempted |
| Windows |
5070 |
A cryptographic function property operation was attempted |
| Windows |
5071 |
Key access denied by Microsoft key distribution service |
| Windows |
5120 |
OCSP Responder Service Started |
| Windows |
5121 |
OCSP Responder Service Stopped |
| Windows |
5122 |
A Configuration entry changed in the OCSP Responder Service |
| Windows |
5123 |
A configuration entry changed in the OCSP Responder Service |
| Windows |
5124 |
A security setting was updated on OCSP Responder Service |
| Windows |
5125 |
A request was submitted to OCSP Responder Service |
| Windows |
5126 |
Signing Certificate was automatically updated by the OCSP Responder Service |
| Windows |
5127 |
The OCSP Revocation Provider successfully updated the revocation information |
| Windows |
5136 |
A directory service object was modified |
| Windows |
5137 |
A directory service object was created |
| Windows |
5138 |
A directory service object was undeleted |
| Windows |
5139 |
A directory service object was moved |
| Windows |
5140 |
A network share object was accessed |
| Windows |
5141 |
A directory service object was deleted |
| Windows |
5142 |
A network share object was added. |
| Windows |
5143 |
A network share object was modified |
| Windows |
5144 |
A network share object was deleted. |
| Windows |
5145 |
A network share object was checked to see whether client can be granted desired access |
| Windows |
5146 |
The Windows Filtering Platform has blocked a packet |
| Windows |
5147 |
A more restrictive Windows Filtering Platform filter has blocked a packet |
| Windows |
5148 |
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
| Windows |
5149 |
The DoS attack has subsided and normal processing is being resumed. |
| Windows |
5150 |
The Windows Filtering Platform has blocked a packet. |
| Windows |
5151 |
A more restrictive Windows Filtering Platform filter has blocked a packet. |
| Windows |
5152 |
The Windows Filtering Platform blocked a packet |
| Windows |
5153 |
A more restrictive Windows Filtering Platform filter has blocked a packet |
| Windows |
5154 |
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections |
| Windows |
5155 |
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections |
| Windows |
5156 |
The Windows Filtering Platform has allowed a connection |
| Windows |
5157 |
The Windows Filtering Platform has blocked a connection |
| Windows |
5158 |
The Windows Filtering Platform has permitted a bind to a local port |
| Windows |
5159 |
The Windows Filtering Platform has blocked a bind to a local port |
| Windows |
5168 |
Spn check for SMB/SMB2 fails. |
| Windows |
5169 |
A directory service object was modified |
| Windows |
5170 |
A directory service object was modified during a background cleanup task |
| Windows |
5376 |
Credential Manager credentials were backed up |
| Windows |
5377 |
Credential Manager credentials were restored from a backup |
| Windows |
5378 |
The requested credentials delegation was disallowed by policy |
| Windows |
5379 |
Credential Manager credentials were read |
| Windows |
5380 |
Vault Find Credential |
| Windows |
5381 |
Vault credentials were read |
| Windows |
5382 |
Vault credentials were read |
| Windows |
5440 |
The following callout was present when the Windows Filtering Platform Base Filtering Engine started |
| Windows |
5441 |
The following filter was present when the Windows Filtering Platform Base Filtering Engine started |
| Windows |
5442 |
The following provider was present when the Windows Filtering Platform Base Filtering Engine started |
| Windows |
5443 |
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started |
| Windows |
5444 |
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started |
| Windows |
5446 |
A Windows Filtering Platform callout has been changed |
| Windows |
5447 |
A Windows Filtering Platform filter has been changed |
| Windows |
5448 |
A Windows Filtering Platform provider has been changed |
| Windows |
5449 |
A Windows Filtering Platform provider context has been changed |
| Windows |
5450 |
A Windows Filtering Platform sub-layer has been changed |
| Windows |
5451 |
An IPsec Quick Mode security association was established |
| Windows |
5452 |
An IPsec Quick Mode security association ended |
| Windows |
5453 |
An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started |
| Windows |
5456 |
PAStore Engine applied Active Directory storage IPsec policy on the computer |
| Windows |
5457 |
PAStore Engine failed to apply Active Directory storage IPsec policy on the computer |
| Windows |
5458 |
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer |
| Windows |
5459 |
PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer |
| Windows |
5460 |
PAStore Engine applied local registry storage IPsec policy on the computer |
| Windows |
5461 |
PAStore Engine failed to apply local registry storage IPsec policy on the computer |
| Windows |
5462 |
PAStore Engine failed to apply some rules of the active IPsec policy on the computer |
| Windows |
5463 |
PAStore Engine polled for changes to the active IPsec policy and detected no changes |
| Windows |
5464 |
PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services |
| Windows |
5465 |
PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully |
| Windows |
5466 |
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead |
| Windows |
5467 |
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy |
| Windows |
5468 |
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes |
| Windows |
5471 |
PAStore Engine loaded local storage IPsec policy on the computer |
| Windows |
5472 |
PAStore Engine failed to load local storage IPsec policy on the computer |
| Windows |
5473 |
PAStore Engine loaded directory storage IPsec policy on the computer |
| Windows |
5474 |
PAStore Engine failed to load directory storage IPsec policy on the computer |
| Windows |
5477 |
PAStore Engine failed to add quick mode filter |
| Windows |
5478 |
IPsec Services has started successfully |
| Windows |
5479 |
IPsec Services has been shut down successfully |
| Windows |
5480 |
IPsec Services failed to get the complete list of network interfaces on the computer |
| Windows |
5483 |
IPsec Services failed to initialize RPC server. IPsec Services could not be started |
| Windows |
5484 |
IPsec Services has experienced a critical failure and has been shut down |
| Windows |
5485 |
IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces |
| Windows |
5632 |
A request was made to authenticate to a wireless network |
| Windows |
5633 |
A request was made to authenticate to a wired network |
| Windows |
5712 |
A Remote Procedure Call (RPC) was attempted |
| Windows |
5888 |
An object in the COM+ Catalog was modified |
| Windows |
5889 |
An object was deleted from the COM+ Catalog |
| Windows |
5890 |
An object was added to the COM+ Catalog |
| Windows |
6144 |
Security policy in the group policy objects has been applied successfully |
| Windows |
6145 |
One or more errors occured while processing security policy in the group policy objects |
| Windows |
6272 |
Network Policy Server granted access to a user |
| Windows |
6273 |
Network Policy Server denied access to a user |
| Windows |
6274 |
Network Policy Server discarded the request for a user |
| Windows |
6275 |
Network Policy Server discarded the accounting request for a user |
| Windows |
6276 |
Network Policy Server quarantined a user |
| Windows |
6277 |
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy |
| Windows |
6278 |
Network Policy Server granted full access to a user because the host met the defined health policy |
| Windows |
6279 |
Network Policy Server locked the user account due to repeated failed authentication attempts |
| Windows |
6280 |
Network Policy Server unlocked the user account |
| Windows |
6281 |
Code Integrity determined that the page hashes of an image file are not valid… |
| Windows |
6400 |
BranchCache: Received an incorrectly formatted response while discovering availability of content. |
| Windows |
6401 |
BranchCache: Received invalid data from a peer. Data discarded. |
| Windows |
6402 |
BranchCache: The message to the hosted cache offering it data is incorrectly formatted. |
| Windows |
6403 |
BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. |
| Windows |
6404 |
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. |
| Windows |
6405 |
BranchCache: %2 instance(s) of event id %1 occurred. |
| Windows |
6406 |
%1 registered to Windows Firewall to control filtering for the following: |
| Windows |
6407 |
%1 |
| Windows |
6408 |
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. |
| Windows |
6409 |
BranchCache: A service connection point object could not be parsed |
| Windows |
6410 |
Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues |
| Windows |
6416 |
A new external device was recognized by the system. |
| Windows |
6417 |
The FIPS mode crypto selftests succeeded |
| Windows |
6418 |
The FIPS mode crypto selftests failed |
| Windows |
6419 |
A request was made to disable a device |
| Windows |
6420 |
A device was disabled |
| Windows |
6421 |
A request was made to enable a device |
| Windows |
6422 |
A device was enabled |
| Windows |
6423 |
The installation of this device is forbidden by system policy |
| Windows |
6424 |
The installation of this device was allowed, after having previously been forbidden by policy |
| Windows |
8191 |
Highest System-Defined Audit Message Value |
Many organizations rely on Microsoft technologies to get work done. At the same time, threat actors can exploit operating systems like Windows. Luckily, Windows logs OS security events to help you track down this behavior.
Security events produced by Windows serve as a critical resource in the incident response process. Tools such as Microsoft’s Windows Event Viewer provide you with the access necessary to review captured events, but detecting abnormalities by manually scrolling through a crowded log is unrealistic.
In this post, you will learn how to track down potential security breaches in Windows by learning about audit policies, Windows event logs, and analyzing security events with PowerShell.
Prerequisites
This article is meant to convey information that teaches you how to analyze Windows security events with PowerShell. If you’d like to follow along with any of the demonstrations, you will need:
- A Windows 10+ PC – This PC will be used to generate and track down potential security events in the event log. This tutorial will be using Windows PowerShell 5.1.
- Administrator rights on the Windows PC
- A PowerShell code editor such PowerShell ISE or Visual Studio (VS) Code.
Where Windows Stores Security Events
When an action is taken on a Windows operating system, Windows logs the action as an event in one or more event logs. Windows event logs are stored on the file system, by default, in the %SystemRoot%\system32\winevt\logs directory. This location can be changed by modifying the respective event log’s EventLog registry subkey.
If you’d like to see where the most prominent event logs are stored (Application, Security, and System) on your system, copy and paste the below code into a PowerShell console or save it as a script.
To access the storage location of the Security log file, you need to run the code as an Administrator.
#Present application, security, and system logs in an array.
$arrLogs = @(
"Application"
"Security"
"System"
)
#Use the ForEach-Object cmdlet to target each respective log with the Get-ItemProperty cmdlet.
$arrLogs | ForEach-Object {
#Use Get-ItemProperty cmdlet to list the configured file path for the application, security, and system log.
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\$_ -Name File | Select-Object PSChildName,File
}The following screenshot shows the code’s expected output, displaying the log name and storage location for the Application, Security, and System log files.
Audit Policies: Defining Events to Record
By default, Windows doesn’t capture all of the security events that might be needed to detect or investigate a breach. To control what Windows does and does not record, you must define and apply audit policies. An audit policy is a set of instructions passed to Windows that tells it what events to record.
There are a few different ways to assign and work with audit policies, such as Group Policy. Group Policy works well if you must implement audit policies across many machines. But in this article, you’re going to stick to a single device, so you’ll use the auditpol tool. The auditpol tool comes installed with Windows and allows you to find and set audit policies on a Windows system.
Finding Audit Policies
For example, to find the status of all audit policies on your Windows system, use the /get parameter as shown below. Using the /category parameter followed by a wildcard tells auditpol to find the status of all audit policies; not just one matching a specific category or subcategory.
#Obtain the system's audit policy configuration.
auditpol /get /category:*The following screenshot shows a truncated version of the code’s expected output, displaying the Account Management audit policy category, subcategories, and status (Setting).
A Setting that is configured as No Auditing means that all events associated with that audit policy subcategory will not be logged.
Setting Audit Policies
The auditpol tool can do more than view audit policy settings. It can also modify them using the auditpol /set command. To demonstrate future sections in this tutorial, open a PowerShell console as administrator and run the below command. This command begins logging all events (success and failure) that are a part of the Logon subcategory.
Configuring the Logon subcategory forces your system to record events:
- 4624: An account was successfully logged on
- 4625: An account failed to log on
- 4626: User/Device claims information
- 4648: A logon was attempted using explicit credentials
- 4675: SIDs were filtered
#Set Logon Events to capture Success/Failure activity.
auditpol /set /subcategory:"Logon" /success:enable /failure:enableThere are numerous resources available to assist you with best-practice audit policy configuration, including the Center for Internet Security (CIS) Benchmarks, and Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG), and guidance published by Microsoft.
Generating Logon Failure Logs for Analysis
This article will be a tutorial, and will expect you to follow along. If you’ve configured Windows to audit Logon events above, let’s now generate some security events for analysis later. More specifically, let’s generate 35 failed logon attempts which will be recorded in your system’s security log to mimic brute force activity.
1. Open your favorite code editor.
2. Copy the following code and paste it into the code editor. This code snippet attempts to open up the PowerShell.exe process using the Start-Process cmdlet using bogus usernames and passwords.
#Define 5 usernames to record as logon failures.
$arrUsers = @(
"AtaBlogUser1"
"AtaBlogUser2"
"AtaBlogUser3"
"AtaBlogUser4"
"AtaBlogUser5"
)
#Loop through usernames using ForEach-Object to generate a logon failure for each one.
$arrUsers | ForEach-Object {
$securePassword = ConvertTo-SecureString "AtA810GRu13Z%%" -AsPlainText -Force
$storedCredential = New-Object System.Management.Automation.PSCredential($_, $securePassword)
Start-Process -FilePath PowerShell -Credential $storedCredential
}
#Generate 30 logon failures for user AtaBlogUser.
$i = 0
Do {
$securePassword = ConvertTo-SecureString "AtA810GRu13Z%%" -AsPlainText -Force
$storedCredential = New-Object System.Management.Automation.PSCredential("AtaBlogUser", $securePassword)
Start-Process -FilePath PowerShell -Credential $storedCredential
$i++
} Until ($i -eq 30)3. Save the PowerShell script as Invoke-BogusEvents.ps1 or whatever name you’d like and execute the script.
When executed, you’ll notice an expected error repeated 35 times indicating The user name or password is incorrect.
If you are not receiving the expected output, ensure that the Secondary Logon service is in a Running state.
Accessing Windows Events with PowerShell
Now that you’re sure to have at least 35 Windows security events, let’s dig into how to find them with PowerShell’s Get-WinEvent cmdlet.
You may be familiar with PowerShell’s
Get-EventLogcmdlet, which is also used to access the event log programmatically.Get-EventLoguses a Win32 Application Programming Interface (API) that is deprecated and will not be discussed in this post.
Open a PowerShell console as an administrator and invoke the Get-WinEvent cmdlet passing it the FilterHashtable and MaxEvents parameter as shown below.
The command below queries your system’s security log (LogName='Security') for event ID 4625 (ID=4625) and returns the first 10 newest instances (MaxEvents 10).
#Filter the security log for the first 10 instances of Event ID 4625
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 10If successful, you should see an output similar to the following:
Accessing Event Properties with Get-WinEvent
In the above section, you used Get-WinEvent to see Windows security events at a high level, but a Windows event contains so much more information. Each Windows event has valuable properties that you can use for deeper analysis.
Windows Events as XML
When Windows records an event, it is stored in XML format. If that’s the case, then why did your Get-WinEvent command return typical PowerShell objects? The Get-WinEvent cmdlet reads the native Windows API and translates the events into PowerShell objects for increased functionality.
Each Windows event has various attributes that follow a specific XML schema or structure.
You’ll see below that each event follows a specific structure with three attributes:
name– The name of the propertyinType– The input type definition or how the event accepts a valueoutputType– The output type definition or how the event is recorded
Finding Event XML Templates with PowerShell
As mentioned above, every Windows security event is stored in XML and has a specific schema, but what does that schema look like? Let’s find out.
In one of the previous sections, you generated a few events with ID 4625 in the security event log. This type of event has specific attributes that only apply to it. To find those attributes and what the template looks like:
1. Open a PowerShell console as an administrator if you don’t already have it open.
2. Run Get-WinEvent again, but this time use the ListProvider parameter specifying the provider Windows uses to record events to the security event log and only return the Events property.
The Events property contains all events that the list provider has recorded and exposes the XML template for each of those events.
(Get-WinEvent -ListProvider 'Microsoft-Windows-Security-Auditing').Events
3. Now that you have the code to find templates for all of the event types, narrow that down by only returning the event associated with ID 4625.
(Get-WinEvent -ListProvider 'Microsoft-Windows-Security-Auditing').Events | Where-Object -Property ID -eq 46254. Once you’re returning only the Logon event type with event ID 4625, limit that to only show the Template property like below.
#Obtain event XML template for event properties of Event ID 4625.
((Get-WinEvent -ListProvider 'Microsoft-Windows-Security-Auditing').Events | Where-Object -Property ID -eq 4625).TemplateThe following screenshot shows a truncated version of the code’s output, identifying the event property name, input type, and output type. You can see that event ID 4625 has event properties with various input and output definitions.
The screenshot below highlights the SubjectUserSid property of Event ID 4625. This particular event accepts an input type (inType) of win:SID and renders the output (outType) as a string which is how it is stored within the security log.
How PowerShell Translates XML to Objects
Now that you’ve seen how Windows stores events in XML and how to see those templates in PowerShell, let’s turn to how PowerShell translates that XML into objects.
1. Run the Get-WinEvent command again to return our event ID 4625. Up until now, this is nothing new. Notice that PowerShell only shows four properties, TimeCreated, Id, LevelDisplayName, and Message.
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 1
By default, the Get-WinEvent cmdlet doesn’t return all attributes from the event’s XML data source as a PowerShell object.
2. Now, pipe the output of the above command to the Select-Object cmdlet and specify the Property parameter passing a value of to show all properties.
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 1 | Select-Object -Property *Notice below that PowerShell was hiding many different properties. More specifically, a property called Properties. The Properties property contains the value of each event attribute that you saw earlier in the XML template.
3. Limit the output of the Get-WinEvent command above to expose the Properties property. This property stores all event properties, not PowerShell object properties, in an array.
#Output event properties array for the first instance of Event ID 4625
$eventProperties = (Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 1).properties
$eventPropertiesOn the left of the screenshot below is the output from the above command. The array contains the values for each of the XML attributes in the XML template on the right side of the screenshot.
The code’s output shown in the screenshot communicates that an authentication failure occurred for user AtaBlogUser (TargetUserName) from system Desktop-XXXXX (WorkstationName) using an IP Address of ::1 (IpAddress).
Perhaps you’d like only to return the value for the TargetUserName event property. Since you’ve already stored all event properties in a variable called $eventProperties, reference the fifth index, which holds the value for TargetUserName.
You must reference the value property on the individual event property object to only return the value (AtaBlogUser). $eventProperties[5].value
$eventProperties[5].value
The practices described throughout this section will be used in subsequent sections to track down the brute force attempt you simulated earlier in this post.
Detecting a Brute Force Attack
You are now prepared to use your PowerShell skills to track down the brute force attack you replicated earlier in this post! Let’s put your skills to the test by simulating what it may look like to track down a brute force attack based on a specific timeframe.
Let’s say you were alerted to an incident where your organization believes someone is trying to use an administrative account to log onto an important Windows Server. This activity started yesterday. You must discover the number of event ID 4625: An account failed to log on that occurred over the last 24 hours and determine each event’s logon type.
1. Find all events with ID 4625 (ID=4625) in the Windows security log (LogName="Security") for the last 24 hours (StartTime=((Get-Date).AddDays(-1).Date), ending at the current time (Get-Date).
$events = Get-WinEvent -FilterHashTable @{LogName="Security";ID=4625;StartTime=((Get-Date).AddDays(-1));EndTime=(Get-Date)}2. Now, count all events stored in the variable to determine if there are more failed log on events than expected.
You should now see a numerical value indicating the number of times event ID 4625 was found in the security event log for the last 24 hours.
3. So you’ve determined a brute force attack has occurred, now track down more information about these Windows security events. To do so, only return the attributes from each of the events you’re interested in.
As mentioned earlier, each value for a particular event is stored in an array with a specific index. The interesting event properties for this demo are below.
- TargetUserName Index:
[5] - LogonType Index:
[10] - WorkstationName Index:
[13] - IpAddress Index:
[19]
The below code sample reads each object in the $events variable, gathers only the interesting properties, and concatenates them into a single line.
#Extract TargetUserName, LogonType, WorkstationName, and IpAddress event properties from all instances of Event ID 4625 in the last 24 hours.
$events | ForEach-Object {
## Reference the properties object property
## Only return the value of indexes 5,10,13 and 19 from the properties array
## Concatenate all values together by joining them with a comma
$_.properties[5,10,13,19].value -join ", "
}The following screenshot shows a truncated version of the code’s expected output, detailing a comma-separated list of TargetUserName, LogonType, WorkstationName, and IpAddress.
4. As you saw from the XML template earlier, event ID 4625’s template has a LogonType attribute. This attribute indicates the method in which the account attempted to authenticate. Through some further investigation, you noticed that the LogonType was different on occasion.
LogonType attributeThe LogonType value is a numerical value from 2-11, but what does that mean? You perform some research and discover what each value means.
2 – Interactive – A user logged on to this computer.
3 – Network – A user or computer logged on to this computer from the network.
4 – Batch – Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 – Service – A service was started by the Service Control Manager.
7 – Unlock – This workstation was unlocked.
8 – NetworkCleartext – A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9 – NewCredentials – A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10 – RemoteInteractive – A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
11 – CachedInteractive – A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Now that you have a good understanding of each LogonType, rather than seeing a numerical value in the output, you want a more descriptive string. To create “maps” in PowerShell, use a hashtable.
$logonTypes = @{
[uint32]2 = "Interactive"
[uint32]3 = "Network"
[uint32]4 = "Batch"
[uint32]5 = "Service"
[uint32]7 = "Unlock"
[uint32]8 = "NetworkCleartext"
[uint32]9 = "NewCredentials"
[uint32]10 = "RemoteInteractive"
[uint32]11 = "CachedInteractive"
}5. Combine Get-WinEvent and the LogonType hashtable with ForEach-Object to create a script that will only return the properties you desire with a user-friendly LogonType value, as shown below. The Format-Table cmdlet adds to the user-friendly output by formatting PowerShell’s response as a table.
#Use Get-WinEvent to access the properties of each logged instance of Event ID 4625
$events = Get-WinEvent -FilterHashTable @{LogName="Security";ID=4625;StartTime=((Get-Date).AddDays(-1).Date);EndTime=(Get-Date)}
## Create the numerical value to string "map"
$logonTypes = @{
[uint32]2 = "Interactive"
[uint32]3 = "Network"
[uint32]4 = "Batch"
[uint32]5 = "Service"
[uint32]7 = "Unlock"
[uint32]8 = "NetworkCleartext"
[uint32]9 = "NewCredentials"
[uint32]10 = "RemoteInteractive"
[uint32]11 = "CachedInteractive"
}
## Begin processing each object in the $events array
$events | ForEach-Object {
## Look up the numerical value in the hashtable
$logonType = $logonTypes[$_.properties[10].value]
#Create custom PowerShell object to output relevant event properties
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
TargetUserName = $_.properties[5].value
LogonType = $logonType
WorkstationName = $_.properties[13].value
IpAddress = $_.properties[19].value
}
} | Format-Table -WrapAt this point, you now have a script that returns PSCustomObject type objects allowing you to perform many different types of analysis! To finalize this tutorial’s analysis, prioritize the authentication failure attempts by TargetUserName. To prioritize the failures by the TargetUserName property, combine the above code with the Group-Objectcmdlet. Use Sort-Object and its Descending switch to identify the highest offending user.
#Use Get-WinEvent to access the properties of each logged instance of Event ID 4625
$events = Get-WinEvent -FilterHashTable @{LogName="Security";ID=4625;StartTime=((Get-Date).AddDays(-1).Date);EndTime=(Get-Date)}
## Create the numerical value to string "map"
$logonTypes = @{
[uint32]2 = "Interactive"
[uint32]3 = "Network"
[uint32]4 = "Batch"
[uint32]5 = "Service"
[uint32]7 = "Unlock"
[uint32]8 = "NetworkCleartext"
[uint32]9 = "NewCredentials"
[uint32]10 = "RemoteInteractive"
[uint32]11 = "CachedInteractive"
}
## Begin processing each object in the $events array
$events | ForEach-Object {
## Look up the numerical value in the hashtable
$logonType = $logonTypes[$_.properties[10].value]
#Create custom PowerShell object to output relevant event properties
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
TargetUserName = $_.properties[5].value
LogonType = $logonType
WorkstationName = $_.properties[13].value
IpAddress = $_.properties[19].value
}
} | Group-Object -Property TargetUserName | Sort-Object -Property Count -DescendingGreat work! You just used PowerShell to detect the brute force attempt that you simulated earlier in this post. According to the output, AtaBlogUser failed to authenticate 30 times in the last 24 hours!
Next Steps
In this tutorial, you learned how Windows logs events, how to enable event logging for certain event types, and how to build a PowerShell tool to query these events.
With the PowerShell script you now have, how can you make it better? How will you take the code you’ve learned about today and build a better tool?