Section 2.2: Intrusion Analysis: Event Log Analysis

Question 1

What are the Event log name files when searching for them inside a server?

Answer 1

SecEvent.evt, AppEvent.evt, and SysEvent.evt. The path is: %systemroot%\System32\config.

Question 2

What are the Event log name files when searching for them inside a client PC?

Answer 2

Security.evtx, Application.evtx, and System.evtx. The path is: %systemroot%\System32\winevt\logs. The location of the path can be changed inside the registry and remotely.

Question 3

What is the registry location to change the event log path and the storage options?

Answer 3

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application (or Security or System). The storage options can be overwritten, archived, and do not overwrite.

Question 4

What does the Security log monitor?

Answer 4

User authentication and logon, user behavior/actions, File/Folder/Share access, security settings and group policies. LSASS is what updates the security log.

Question 5

What does the System log monitor?

Answer 5

Logs about Windows services, system components, drivers and resources.

Question 6

What does the Application log monitor?

Answer 6

Software events unrelated to the operating system. Ex: SQL server fails to access database, A/V, etc.

Question 7

What does the Custom log monitor?

Answer 7

Custom applications such as: Task Scheduling, Terminal Services, Powershell, WMI, Firewall. Server items applies as well such as: Directory Services, DNS Server, File Replication, and Service logs.

Question 8

What categories does the Security log record?

Answer 8

Account logon, Account mgmt, Directory service, Logon Events, Object access, Policy change, Priviledge use, Process Tracking, and System Events.

Question 9

What is the difference between Account logon events and Logon events?

Answer 9

Logon events tracks logging on/off of a local system while Account logon events is tracking accounts authorized by the domain controller.

Question 10

Describe the Directory Service category inside the Security log.

Answer 10

Attempting access of Active Directory objects.

Question 11

Describe Object Access category inside the Security log.

Answer 11

Access to objects identified in system access control list.

Question 12

Describe System events category inside the Security log.

Answer 12

Auditing for things like when a computer restarts or shuts down or any event that affects the system security or security log.

Question 13

What are all the analysis scenarios investigators want to look into when searching event logs?

Answer 13

Account usage, tracking lateral movement, suspicious services, application installation, event log clearing, malware execution, process tracking, and capturing command lines and scripts.

Question 14

Relevant Event IDs for account usage.

Answer 14

4624- Successful logon
4625- Failed logon
4634/4647- Successful logoff
4648- Logon through explicit credentials (RunAs)
4672- Logon as Administrator
4720- Account created
4726- Account deleted

Question 15

Name the five fields analysts review when reviewing an event log record.

Answer 15

The account name, timestamp, logon type, Event ID, and computer (where the event was recorded on).

Question 16

What is the executable name that runs Windows Event viewer?

Answer 16

eventvwr.exe

Question 17

Logon type codes

Answer 17

2- Via Console (keyboard, server KVN, virtual client)
3- Network logon (SMB/RDP)
4- Batch logon
5- Service logon
7- Creds used to unlock/lock screen (RDP reconnects)
8- Network logon sending creds in cleartext
9- RunAs logon
10- RDP logon
11- Cached creds used for logon
12- Cached remote (like Type 10)
13- Cached unlock (like Type 7)

Question 18

How do I identify logon sessions?

Answer 18

By looking into the Logon ID. This field can determine how long a user was logged through their respective logon/off IDs tied to a similar Logon ID. Its most effective with Logon Types 2, 10, 11, & 12.

Question 19

Why isnt Logon type 3 work the same as the other interactive logon types when identifying logon sessions?

Answer 19

Type 3 will do logon/off when doing remote shares immediately. This applies even if, for example, a remote word document remains open.

Question 20

What is the Linked Logon ID?

Answer 20

It ties session to the Logon ID of any other authentication events. Ex: Admin logins generate two sessions (high and low session). A non-admin account will have zeroes on Linked Logon ID.

Question 21

What are the Windows built-in accounts?

Answer 21

SYSTEM, Local service, Network service, DWM, UFMD, & ANONYMOUS LOGON

Question 22

Event IDs for auditing account creation

Answer 22

4722- user account was enabled
4724- an attempt was made to reset an account’s password
4728- member added to a security-enabled global group
4732- member was added to a security-enabled local group
4735- a security-enabled local group was changed
4738- a user account was changed
4756- a member was added to a security-enabled universal group

Question 23

Event IDs for Remote Desktop Protocol and its key features for when analyzing them.

Answer 23

4778- session was reconnected
4779- session was disconnected
These IDs both record IP address and hostname of the system that established the connection. To see what OUTSIDE system connected through RDP, check the RECEIVING system. Only one session can be established to a system at a time so it will disconnect one if another is attempted to be established.

Question 24

When seeing Event ID 4778, what is so suspicious in seeing a Client name such as DESKTOP-I6IPE98?

Answer 24

It is a random Windows-generated name. Generated names is not normal inside an enterprise so it is suspicious.

Question 25

What can an IP address of 192.168.30.10 indicate?

Answer 25

A VPN address concentrator

Question 26

When RDP Logon IDs dont match, what can I do to find them?

Answer 26

Search for earliest non-terminated session by the same user.

Question 27

If I was to be on a source system and wanted to find where it was using RDP to, where can I look?

Answer 27

In Security.evtx, search for 4648 (RunAs). Use also RDPClient%Operational.evtx and search ID 1024 for Dest. Host Name and 1102 Dest. IP address.

Question 28

If I was using a system to find RDP activity that it received from a different computer, where would I look?

Answer 28

In Security.evtx, search ID 4624 Type 10, 4778 & 4779. In RDPCore%4Operational.evtx (131, 98). RemoteConnectionManager%4Opertional.evtx (1149). LocalSessionManager%4Operational.evtx (21, 22, 25, 41).

Question 29

What are the Logon Event IDs?

Answer 29

NTLM Protocol:
4776- Successful/failed account authentication
Kerberos Protocol:
4768- authentication successful by granting time-limited ticket to user.
4769- service ticket requested (access to service resource)
4771- failed authentication

Question 30

Where are Logon Event IDs found?

Answer 30

They should be only found inside the domain/active directory on the DC. If they are found inside the workstation, search the local account. These IDs shouldnt be found on workstations since that indicates rogue accounts are being created on the local system.

Question 31

What are the NTLM (& Kerberos) logon error codes?

Answer 31

(0x6)0xC0000064- invalid username
(0x7)- requested server not found
(0xC)0xC0000070- logon from unauthorized workstation
(0x12)0xC0000234- Acct locked, disabled or expired
(0x17)0xC0000071- Password expired
(0x18)0xC000006A- Password invalid
(0x25)- Clock skew between machines is too great

Question 32

Give an event log analysis example of a priviledged local account being abused by means of passing-the-hash

Answer 32

Computer B has an event ID of 4776, (should be in DC only), in its system. The log has info saying that the Computer A was trying to authenticate a user that is present in Computer B. Other event IDs present are 4672 and 4624 Type 3 (SMB).

Question 33

Event IDs to track account and group recon

Answer 33

4798- a user’s local group membership was enumerated.
4799- a security-enabled local group membership was enumerated.

Question 34

Why were enumerating event IDs created in Win10+? What does adversary enumeration indicate?

Answer 34

To combat adversary tools that recon at scale such as Powerview by Powersploit, Empire, and Deathstar. This stage of the attack cycle means the attack is early still so mitigation is advised.

Question 35

Where can I enable enumeration event IDs?

Answer 35

Via Group policy Advanced auditing -> Account Management -> “Audit Security group management” and “Audit user group management”

Question 36

What is something an analyst must do when activating enumeration?

Answer 36

Filter the sensitive accounts that shouldnt be active to be enumerated as well as processes.

Question 37

What are some fields to review when observing enumeration logs?

Answer 37

The system doing the enumeration, the user, the event ID, the process that started the enumeration, and the group name that was being enumerated.

Question 38

Feature I didnt know about Event Log Explorer

Answer 38

Assist log review: it allows many log files to merge and can also be done on remote systems for live reviews.

Question 39

Name a feature EvtxECmd.exe does that I didnt know.

Answer 39

It can get event log files from Volumne Shadow Service (VSS) for deleted logs and deduplicates them.

Question 40

Network shares Event log IDs

Answer 40

5140- network share was accessed
5142-44- shares created, modified, or deleted
5145- shared object accessed (individual items)

Question 41

How to enable network sharing event IDs?

Answer 41

Go to Advance Audit Policy Configuration -> Object Access -> “Audit File share” & “Audit Detailed File share”

Question 42

How do I track adversary map sharing using Cobalt Strike in event logs?

Answer 42

Event ID 5140 will produce a ADMIN$ log and it may contain obscure information such as the IP being 127.0.0.1 and user account info. Cobalt does this. A paired 5140 log with IPC$ should cover the missing details of both missing information. Look for its corresponding 4624 too.

Question 43

If an Event ID of 5140 is present with just IPC$ and isnt paired with another log with ADMIN$ or C$, what does that mean?

Answer 43

Enumeration tools are being used to recon the network.

Question 44

Event ID to track RunAs logs

Answer 44

4648- Logon using explicit credentials

Question 45

Where are RunAs event logs stored?

Answer 45

On the source computer only, giving the analyst insight to where adversaries went. RunAs logs can appear on both source and target systems IF the attempt to switch credentials was during RDP.

Question 46

What is the anatomy on how RunAs events trigger if accounts were not switched?

Answer 46

Tools using new explicit credentials to authenticate other than the one that is present in memory will trigger this. Even if its the same credentials, the fact that the tool must provide it will trigger it.

Question 47

What characteristics describe the Cobalt Strike tool?

Answer 47

Cobalt Strike will trigger RunAs event log IDs. It creates a new logon session where adversary must type in explicit credentials (even if its the same as the one in memory), and it heavily relies on Powershell process. It can make a token or pth (pass-the-hash) to authenticate.

Question 48

Scheduled Tasks (Security log) Event IDs

Answer 48

106(4698)- Scheduled task created
141(4699)- Scheduled task deleted
(4700/4701)- Task enabled/disabled
200/201- Task executed/completed
140(4702)- Scheduled task updated

Question 49

Are modern Windows 10 OS have scheduled task logs enabled?

Answer 49

No. Enable through group policy.

Question 50

How do I find remote scheduled task logs?

Answer 50

Look for 4624 type 3 logs and task logs within the same time frame to verify connection since tasks logs dont differentiate from local to remote.

Question 51

Where are schedules tasks stored? Are the 32-bit code tasks stored in the same directory?

Answer 51

Tasks are stored inside C:\Windows\System32\Tasks. 32-bit code tasks are stored inside C:\SYSWOW64\Tasks. 32-bit tasks are NOT normal. When looking at the Task XML file, look under “Author” for remote system and user. To see if a different account was used to run the command, look at “UserID”.

Question 52

Event IDs for Services

Answer 52

7034- service crashed unexpectedly
7035- service sent a start/stop control
7036- service started or stopped
7040- start type changed (boot|on request|disabled)
7045- new service was installed
4697(security)- new service was installed

Question 53

What is SCM?

Answer 53

Service Control Manager. It transmits control requests to those services and maintains status information about those services.

Question 54

Where do I enable Event Log ID 4697?

Answer 54

“Audit Security System Extension” is enabled in group policy.

Question 55

What types of malware artifacts can I track through service log tracking?

Answer 55

Worms, PsExec, DLL and Process injections

Question 56

How does a service creation log containing Metasploit PsExec differ from a normal PsExec?

Answer 56

Metasploit has a powershell script running when the service is started. The malware is used for lateral movement.

Question 57

What is an advantage of having event ID 7045 when monitoring PsExec?

Answer 57

It logs PsExec as a new service creation every time it runs.

Question 58

Event log IDs for log clearing and name the executable responsible for clearing it out.

Answer 58

1102- security log was cleared
104- audit log cleared (system log)
Wevtutil.exe clears out logs.

Question 59

Who has priviledges to clear out logs?

Answer 59

Domain admin, local admin, and SYSTEM.

Question 60

What is a good practice when it comes to watching cleared logs?

Answer 60

Setting alerts when logs are cleared is highly advised.

Question 61

What are some event log attacks done by adversaries?

Answer 61

Danderspritz (eventlogedit), Mimikatz (event::drop), and Invoke-Phant0m (thread killing)

Question 62

What function does Danderspriz’s eventlogedit do to the event log system?

Answer 62

It changes log headers on OS so they wont show entries, but EvtxECmd tool can recover it when parsing.

Question 63

What function does Mimikatz’s event::drop do to the event log system?

Answer 63

It can stop from 1102 log from ever posting but will leave serious log gaps because the tool cannot turn event logs back on.

Question 64

What function does Invoke-Phant0m’s thread killing do to the event log system?

Answer 64

It goes to the system and kills the threads. It will continue to run but no longer log events.

Question 65

How can analysts mitigate event log compromise?

Answer 65

Log forwarding, logging “heartbeat”, and log gap analysis.