The keys to successful incident response equate to having the proper people, processes, and tools in place to act decisively when an incident occurs, which is a recurring theme in our incident response articles. Without proper logging occurring ahead of time, which is a large part of the picture for security operations and incident response, teams, it will make it difficult to prove how long a threat actor was in an environment, and depending on the lack of logs, could be very difficult to provide analysis on activities taken by the threat actors or insider threats depending on the case scenario.
While the volume of logs generated by Windows machines can be overwhelming, for the purpose of this article, we will focus on just six to get you started on the most common ones which will indicate malware breaches and suspicious account activity. The event IDs we are going to focus on for this article are 4688, 4670, 4672, 1125 and 1006/1007.
Event 4688 documents each program (or process) that a system executes, along with the process that started the program. What’s fascinating about this event ID is that it logs any process that is created by a user or even spawned from a hidden process. For example, if there’s malware present on your Windows system, searching event 4688 will reveal any processes executed by that malicious program. Child processes with a different parent process ID than the original process, as well as processes running outside of C: Program Files or C: windowssystem32, are red flags for malicious activity..
In addition, you can get information about a user’s administrative privileges through the Token Elevation Type field. A Type 1 token refers to a “full token” with all privileges granted to that user account, such as when UAC (User Access Control) is disabled or when the user is in a service or built-in administrator account. Type 2 hints that an elevated token was issued through the “Run as administrator” option while the UAC was enabled. Type 3 is a limited token with no administrative groups or privileges. It’s issued when the user doesn’t launch a program using Run as administrative or when an application doesn’t require administrative privileges. While event 4688 can tell you a lot, it should be used in conjunction with other event logs to get a full picture of an intrusion.
One of the best ways to identify unauthorized access (and ultimately data leakage) is by tracking File Server permission changes. That’s where event 4670 comes in handy — it triggers itself when a user modifies an object’s access control list. Hackers are known to change permissions when attempting to move laterally or inject ransomware into a system; monitoring who takes ownership of an intrusion is a critical step in tracing the source of an attack. Advanced users can also dive into SDDL to further understand what permissions have been changed. Besides intrusion detection, you can also use event 460 to get insights into user activity. It can help you get information on peak logon times, user attendance and more. Pro tip: Make sure to enable the audit policy of objects when viewing event 4670 in your Windows Event Viewer or SIEM.
This event informs you whenever an administrator equivalent account logs onto the system. You can track it to look for a potential Pass-the-Hash (PtH) attack. If the “SubjectSecurity ID” in the Event Viewer doesn’t contain “LocalSystem, NetworkService, LocalService”, it’s not an admin-equivalent account and requires careful analysis.
But event 4672 isn’t the only Windows security event log ID to indicate a pass-the-hash attack. Many other events, including 4648 (a logon was attempted with explicit credentials), 4624 (an account was successfully logged on) and 4776 (the computer attempted to validate the credentials for an account), can indicate that a system has been or is being breached collectivity.
It’s not easy to detect lateral movement from Pass-the-Hash attacks, but an SIEM that lets you create correlation rules around the movement can help you identify the other events linked to PtH.
Windows typically manages its configuration settings on servers and workstation using “Active Directory Group Policy.” Monitoring event 1125 helps you identify potential failures pertaining to policy application or unsanctioned changes to policy objects in Active Directory, rather than user error. If the policy cannot be applied, there’s a chance that the system has a security issue.
Besides AD policy, it’s also beneficial to keep tabs on firewall rules. Because Windows Firewall offers a critical line of defense, a malicious actor may attempt to modify its rules in order to gain access to your system. Use the firewall logging feature to check for dynamic and disabled port openings, as well as analyze dropped packets on the send route.
In case you identify a malicious activity, open the log file in Notepad and use the DROP command to filter all entries in the action field, analyzing which destination IPs end with a number that’s not 255. If you detect many such IPs, take note of packets’ destination IP addresses for troubleshooting.
Consider investing the notifications for identifying, preventing and removing malware in Windows Defender. Yes, even the built-in antivirus can be used to conduct malicious activity. Start by reviewing event ID 1006, which is triggered when the Defender detects unwanted software. Then review Event 1007 to see if the antivirus acted to protect your system from potential infiltration. All these events are present in a sublog.
You can use the Event Viewer to monitor these events. Open the Viewer, then expand Application and Service Logs in the console tree. Now click Microsoft → Windows → Windows Defender Antivirus”. The last step is to double-click Operational, which will open the “Details” pane, where you’re able to see events.
Windows event logs are an indispensable tool for detecting errors and malicious activity. Keeping a watchful eye on them can alert you to intrusions before they grow in presence and scale. Given that the first step in responding to malware is often to track the infiltration source, event IDs are a valuable piece of information available to Windows users. If you pay attention to what they’re telling you, you’ll detect malicious activity as early into the kill chain as possible.