Windows Event Log

Windows Event Log

Windows Event Log "If Google made $1 every time someone used them to find an answer to a tech support question, they would own Microsoft." This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Overview Operating Systems

Log Files & Why We Care Windows Log File Format & Operations Configuration & Operation EVTX Format Windows Event Logging Framework Security Logs Records

Protection of Security Logs Analysis and Events to Know Pulling it together This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Welcome to the World of Operating Systems Most everything we have done up until this point has been OS agnostic We explored low level concepts which live beneath the OS in a computer. The OS is contained within and interacts with these elements. Everything you have done so far could be done independent of the OS running on top of the disk and file system layers.

Now we will move on up to examining the insides of an Operating System. The good news, this will be less technically challenging. The bad news, this will be less technically challenging. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 What is an Operating System System software that manages computer hardware and software resources and provides common services for computer programs. Intermediary between programs and the computer hardware Manages access to CPU, memory, storage, networking, I/O Coordinates resource access between all applications running on a computer

An OS is a huge, complex piece of software. At any given time a great many events take place within the OS. Event Logging is a standard, centralized method for the OS and applications to record important information coming from software and hardware. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Log Files - Why do we need them? Auditing & Compliance Disaster Recovery Forensic Reconstruction Ultimately we want to correlate many apparently disparate artifacts to paint a picture or complete the story of our examination Recreate a sequence of events

Confirm or Contradict our forensic hypothesis Consider a user who repeatedly changes system time to frustrate timelining generates EventID 4616 (system time change) This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Event Log Information What happened EventID & event category

When Timestamps Who User accounts involved Involved Systems In networked environments lots will reference accounts on remote systems

Resources Accesses Almost any system resource can be considered an object subject to logging. Look for unauthorized access or access attempts to resources. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Log Stored in %SystemRoot%\System32\Winevt\Logs\ Files will have the .evtx extension. Log Overwrites - three options Overwrites oldest events when log runs out of space

Overwrites events older than $num days Manual Clearing This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Log Log Thoroughness Depends on audit policy Audit policy set by Sysadmins based on what they think is relevant Can be managed using group policies Can have bad defaults Win 7 defaulted to no auditing

Audit Policy stored in HKEY_LOCAL_MACHINE\Security\Policy\ PolAdtEv This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Log History Older Windows versions used a logging system called Event Logging. NT, 2000, XP, 2003, and prior This was a much more limited format holding far less information Newer versions of Windows use the Windows Event Log mechanism. Vista, Server 2008, and newer Uses a modern, XML based format Changed all the event ID numbers Fortunately the new EventID numbers are just the old numbers

+= 4096. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format New format introduced in Vista & Server 2008 Replaced the depreciated Windows NT 4.0 EVT format See pages 4-7 for a complete, thorough listing: https://www.sans.org/reading-room/whitepapers/logging/evtx-win dows-event-logging-32949 This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format

Event Properties (non-exhaustive) Source - Software that logged the event EventID - number identifying the event type Level - Classification of event severity User - user on whose behalf the event occured OpCode - numeric value describing activity app performing when raising the event, e.g. closing Date & Time Process ID Thread ID This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Event Levels

Error - significant problems such as loss of data or functionality Warning - not a significant problem yet, e.g. low disk space Information - successful operation of applications or services, e.g. services started Success Audit - notification that an audited event completed successfully, e.g. successful user logon Failure Audit - notification that an audited event did not complete, e.g. failed device access This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format XML Document

See page 10 for example of XML formatting https://www.sans.org/reading-room/whitepapers/logging/evtx-win dows-event-logging-32949 [Google Slides decided that Im not allowed to insert images into this presentation] For a nearly complete listing of EventID numbers see: https://www.ultimatewindowssecurity.com/securitylog/encyclopedi a/Default.aspx This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format File Structure Small header

64Kb chunks loaded as needed Improves performance through reduced resource usage Less likely sysadmins will turn off logging to increase performance This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Structure Two channel groups Windows Logs Application and Services Logs This document is licensed with a Creative Commons Attribution 4.0 International License 2017

Windows Event Logging Categories Windows Event Log channels: Application.evtx events logged by applications or programs Security.evtx Valid and invalid logon attempts Events relating to resource use Creating/Opening/Deleting a file/object This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories

Windows Event Log channels: System.evtx Events logged by Windows system components E.g. driver failure, failure of system component to load Setup.evtx Application setup related events ForwardEvents.evtx Stores events collected from remote computers This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Application and Service Logs

Many individual channels which publish events from single application or components Each channel has two subtypes each with two further subtypes Serviced - can be forwarded / collected remotely Operational Used to analyze and diagnose problems or occurrences Connect to wifi access point Examiner can look up access point MAC geoloction data: https://wigle.net/ This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Application and Service Logs

Serviced - can be forwarded / collected remotely Admin Indicated problems with well defined solutions admins can act on This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Application and Service Logs Direct - cannot be forwarded / collected remotely Analytic Published in high volume Describe program operations

Indicate problems that cannot be handled by user intervention Debug Events used by developers to troubleshoot their programs This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Servers Often have extra logfiles dedicated to server operations Directory Service Records events from Active Directory and services based on it File Replication Server

Records events about updates between Domain Controllers DNS Server Records zone management events Records DNS server operations e.g. start, stop This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs These records hold: Audit Events User Activity covered by local or group audit policies Some information that can be logged Account Logon - Events which authorize the user, could be on workstation or Domain Controller

Account Management - Account maintenance and modification Logon Events - Every logon or logoff event on the local system Directory Service - attempts to access objects of the active directory This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Some information that can be logged Object Access - Access to objects which have their own access control list Policy Change - Modifications of users rights and audit policies Privilege Use - Each case of an account exercising a user right. Process Tracking - Start, stop, object access of processes. System events - Start & Shutdown events.

This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Examples of useful events EventID 4624: Successful Logon EventID 4625: Failed Login EventID 4776: Successful / Failed Authentication EventID 4720: A user account was created EventID 4732: A member was added to a security-enabled local group EventID 4728: A member was added to a security-enabled global group

This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Table of Logon Codes for EventIDs 4624/4625 2 - Interactive (logon at keyboard and screen of system) 3 - Network (i.e. connection to shared folder on this computer from elsewhere on network) 4 - Batch (i.e. scheduled task) 5 - Service (Service startup) 7 - Unlock (i.e. unnattended workstation with password protected screen saver) 8 - NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.

This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Table of Logon Codes for EventIDs 4624/4625 9 - NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. 10 - RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) 11 - CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Integrity Protections No general API for writing to Security event log. API only available to Local Security Authority System Service (LSASS) LSASS responsible for applying security policies to the system Administrator permissions required to review, export, or clear Security event log This document is licensed with a Creative Commons Attribution 4.0 International License 2017

Security EventID 4688 - New Process Created Can look for system compromise by looking for unusual processes Close misspellings of common process names Begins with a lowercase drive letter Suggests process started by command line or from script or bash file Long string of empty spaces Employee Handbook.pdf .exe Common windows processes running from nonstandard path

This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security EventID 4688 - New Process Created Can look for system compromise by looking for unusual processes Process ID numbers Look at parent process for suspicious relationships cmd.exe should not be parent of lsass.exe nor other way around Most user processes have parent Explorer.exe This document is licensed with a Creative Commons Attribution 4.0 International License 2017

Security EventID 4097 - Application Crash Many legit reasons for application to crash But could also be an attack such as a buffer overflow. Spear Phishing can cause crashes in Adobe Reader Adobe Acrobat Adobe Flash Microsoft Office If the windows Enhanced Mitigation Toolkit is running it will crash an application if it detects a memory manipulation exploit. This document is licensed with a Creative Commons Attribution 4.0 International License 2017

Security EventID 64006 - Windows File Protection Warning Windows File Protection monitors critical system files and attempts to prevent unauthorized software from modifying or changing those files Generates alerts when changes are attempted to these files Alerts here may indicate malicious activity This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs - Detecting Persistence

Create and Install a new service (EventID 4697) Create a new scheduled task (EventID 4968) Modify registry keys to start service at boot (EventID 4657) Disable virus protection The terminated unexpectedly.* (EventID 7034) The was successfully sent a .* (EventID 7035) The entered the stopped state.* (EventID 7036) The service was changed from.* (EventID 7040) This document is licensed with a Creative Commons Attribution 4.0 International License 2017

Security Logs - Detecting Lateral Movement Once an attacker is in one computer they often try to pivot to other machines in the network. If they have harvested valid credentials this can be difficult to detect. Need to look for unusual host to host network based logins. Triggers a Network Login event - EventID 4625 Usually be a type 3 login. RDP will be a type 10. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Examining Security.evtx for suspicious

logins Load the Security log into your prefered tool. Display all users who logged in. EventID 4624 Look for unusual accounts. Suppose we find SYSADMIN accounts. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Examining Security.evtx for suspicious logins Filter events where SYSADMIN is in Description field. This will display every event related to this user.

Ex: EventID 4720 Account Creation Ex: EventID 4624 Successful Logon Next maybe review types of logins Filter Logon Type equals 10 Now we can see every RDP logon made by this user. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Questions? This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Other useful tools

Fred (https://www.pinguin.lu/pkgserver) - A java based GUI tool for parsing windows event logs. This document is licensed with a Creative Commons Attribution 4.0 International License 2017

Recently Viewed Presentations

  • Performance Improvement Strategy Chief Performance Improvement Officer June

    Performance Improvement Strategy Chief Performance Improvement Officer June

    Performance Improvement Strategy Chief Performance Improvement Officer June 2009 Responsibilities The Chief Performance Improvement Officer (PIO) is the principal advisor to the Under Secretary and Deputy Under Secretary for leading/facilitating the USPTO in: Implementing performance improvement strategies/tools such as adopting...
  • Printing

    Printing

    Then there were some other interesting substrates such as slides and Polaroid prints. Everyone grew up on Kodak, Fugi became am major competitor - Both did excellent work with photo printing .Drugstores, Fotomats - not so good.
  • Menopause and Midlife Issues Dr Margaret Stellingwerff FPNSW

    Menopause and Midlife Issues Dr Margaret Stellingwerff FPNSW

    Dr Hilary Bower Medical Coordinator Family Planning NSW Health Care Providers portal - enabling health care professionals to retrieve information about participation, screening history & to check if reminders sent Delay in electronic portal implementation in December 2017 ,initial access...
  • Romeo and Juliet Act iii scene I

    Romeo and Juliet Act iii scene I

    Quotes to Know "Mercutio's soul / is but a little way above our heads / staying for thine to keep him company. / Either thou or I or both must go with him" (III.i.119-121). ... What are the "injuries" done...
  • TRC NGHIM  CH Tn ngi chi Tn ngi

    TRC NGHIM CH Tn ngi chi Tn ngi

    trẮc nghiỆm Ô chỮ tên người chơi tên người chơi tên người chơi tên người chơi phẦn i : trẮc nghiỆm - gỒm 10 cÂu hỎi trẮc nghiỆm vỀ : + kinh thÁnh (cÁc bÀi ĐỌc trong thÁnh lỄ chÚa...
  • Materijalno knjigovodstvo Sitan inventar Branimir Oman, mag.oec Savjetovanje

    Materijalno knjigovodstvo Sitan inventar Branimir Oman, mag.oec Savjetovanje

    Materijalno knjigovodstvo pristupate tako da za početak pokrene ikonu ENEL-ovih aplikacija na Vašem računalu. Potom . Vam se otvori SHELL unutar kojeg ćete pronaći aplikaciju Materijalno knjigovodstvo. Kao . što možete vidjeti na slici aplikaciju Materijalno knjigovodstvo ćete pronaći unutar...
  • Lesson 3: The Early Roman Empire - International School of Sosua

    Lesson 3: The Early Roman Empire - International School of Sosua

    Gladiators were trained slaves who were forced to fight wild animals and other slaves in huge arenas in front of thousands of people. It was a brutal and ugly sport and it was becoming very popular. ... Lesson 3: The...
  • Landscaping and Horticulture Safety

    Landscaping and Horticulture Safety

    Position milk crate. Talk through and demonstrate proper steps of a safe lift. If time permits, have students practice technique. * * Check Your Knowledge Before lifting a heavy object you should ? Convince yourself you can do it. Put...