Windows Event Log "If Google made $1 every time someone used them to find an answer to a tech support question, they would own Microsoft." This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Overview Operating Systems
Log Files & Why We Care Windows Log File Format & Operations Configuration & Operation EVTX Format Windows Event Logging Framework Security Logs Records
Protection of Security Logs Analysis and Events to Know Pulling it together This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Welcome to the World of Operating Systems Most everything we have done up until this point has been OS agnostic We explored low level concepts which live beneath the OS in a computer. The OS is contained within and interacts with these elements. Everything you have done so far could be done independent of the OS running on top of the disk and file system layers.
Now we will move on up to examining the insides of an Operating System. The good news, this will be less technically challenging. The bad news, this will be less technically challenging. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 What is an Operating System System software that manages computer hardware and software resources and provides common services for computer programs. Intermediary between programs and the computer hardware Manages access to CPU, memory, storage, networking, I/O Coordinates resource access between all applications running on a computer
An OS is a huge, complex piece of software. At any given time a great many events take place within the OS. Event Logging is a standard, centralized method for the OS and applications to record important information coming from software and hardware. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Log Files - Why do we need them? Auditing & Compliance Disaster Recovery Forensic Reconstruction Ultimately we want to correlate many apparently disparate artifacts to paint a picture or complete the story of our examination Recreate a sequence of events
Confirm or Contradict our forensic hypothesis Consider a user who repeatedly changes system time to frustrate timelining generates EventID 4616 (system time change) This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Event Log Information What happened EventID & event category
When Timestamps Who User accounts involved Involved Systems In networked environments lots will reference accounts on remote systems
Resources Accesses Almost any system resource can be considered an object subject to logging. Look for unauthorized access or access attempts to resources. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Log Stored in %SystemRoot%\System32\Winevt\Logs\ Files will have the .evtx extension. Log Overwrites - three options Overwrites oldest events when log runs out of space
Overwrites events older than $num days Manual Clearing This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Log Log Thoroughness Depends on audit policy Audit policy set by Sysadmins based on what they think is relevant Can be managed using group policies Can have bad defaults Win 7 defaulted to no auditing
Audit Policy stored in HKEY_LOCAL_MACHINE\Security\Policy\ PolAdtEv This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Log History Older Windows versions used a logging system called Event Logging. NT, 2000, XP, 2003, and prior This was a much more limited format holding far less information Newer versions of Windows use the Windows Event Log mechanism. Vista, Server 2008, and newer Uses a modern, XML based format Changed all the event ID numbers Fortunately the new EventID numbers are just the old numbers
+= 4096. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format New format introduced in Vista & Server 2008 Replaced the depreciated Windows NT 4.0 EVT format See pages 4-7 for a complete, thorough listing: https://www.sans.org/reading-room/whitepapers/logging/evtx-win dows-event-logging-32949 This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format
Event Properties (non-exhaustive) Source - Software that logged the event EventID - number identifying the event type Level - Classification of event severity User - user on whose behalf the event occured OpCode - numeric value describing activity app performing when raising the event, e.g. closing Date & Time Process ID Thread ID This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Event Levels
Error - significant problems such as loss of data or functionality Warning - not a significant problem yet, e.g. low disk space Information - successful operation of applications or services, e.g. services started Success Audit - notification that an audited event completed successfully, e.g. successful user logon Failure Audit - notification that an audited event did not complete, e.g. failed device access This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format XML Document
See page 10 for example of XML formatting https://www.sans.org/reading-room/whitepapers/logging/evtx-win dows-event-logging-32949 [Google Slides decided that Im not allowed to insert images into this presentation] For a nearly complete listing of EventID numbers see: https://www.ultimatewindowssecurity.com/securitylog/encyclopedi a/Default.aspx This document is licensed with a Creative Commons Attribution 4.0 International License 2017 EVTX Format File Structure Small header
64Kb chunks loaded as needed Improves performance through reduced resource usage Less likely sysadmins will turn off logging to increase performance This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Structure Two channel groups Windows Logs Application and Services Logs This document is licensed with a Creative Commons Attribution 4.0 International License 2017
Windows Event Logging Categories Windows Event Log channels: Application.evtx events logged by applications or programs Security.evtx Valid and invalid logon attempts Events relating to resource use Creating/Opening/Deleting a file/object This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories
Windows Event Log channels: System.evtx Events logged by Windows system components E.g. driver failure, failure of system component to load Setup.evtx Application setup related events ForwardEvents.evtx Stores events collected from remote computers This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Application and Service Logs
Many individual channels which publish events from single application or components Each channel has two subtypes each with two further subtypes Serviced - can be forwarded / collected remotely Operational Used to analyze and diagnose problems or occurrences Connect to wifi access point Examiner can look up access point MAC geoloction data: https://wigle.net/ This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Application and Service Logs
Serviced - can be forwarded / collected remotely Admin Indicated problems with well defined solutions admins can act on This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Application and Service Logs Direct - cannot be forwarded / collected remotely Analytic Published in high volume Describe program operations
Indicate problems that cannot be handled by user intervention Debug Events used by developers to troubleshoot their programs This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Windows Event Logging Categories Servers Often have extra logfiles dedicated to server operations Directory Service Records events from Active Directory and services based on it File Replication Server
Records events about updates between Domain Controllers DNS Server Records zone management events Records DNS server operations e.g. start, stop This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs These records hold: Audit Events User Activity covered by local or group audit policies Some information that can be logged Account Logon - Events which authorize the user, could be on workstation or Domain Controller
Account Management - Account maintenance and modification Logon Events - Every logon or logoff event on the local system Directory Service - attempts to access objects of the active directory This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Some information that can be logged Object Access - Access to objects which have their own access control list Policy Change - Modifications of users rights and audit policies Privilege Use - Each case of an account exercising a user right. Process Tracking - Start, stop, object access of processes. System events - Start & Shutdown events.
This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Examples of useful events EventID 4624: Successful Logon EventID 4625: Failed Login EventID 4776: Successful / Failed Authentication EventID 4720: A user account was created EventID 4732: A member was added to a security-enabled local group EventID 4728: A member was added to a security-enabled global group
This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Table of Logon Codes for EventIDs 4624/4625 2 - Interactive (logon at keyboard and screen of system) 3 - Network (i.e. connection to shared folder on this computer from elsewhere on network) 4 - Batch (i.e. scheduled task) 5 - Service (Service startup) 7 - Unlock (i.e. unnattended workstation with password protected screen saver) 8 - NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Table of Logon Codes for EventIDs 4624/4625 9 - NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. 10 - RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) 11 - CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs Integrity Protections No general API for writing to Security event log. API only available to Local Security Authority System Service (LSASS) LSASS responsible for applying security policies to the system Administrator permissions required to review, export, or clear Security event log This document is licensed with a Creative Commons Attribution 4.0 International License 2017
Security EventID 4688 - New Process Created Can look for system compromise by looking for unusual processes Close misspellings of common process names Begins with a lowercase drive letter Suggests process started by command line or from script or bash file Long string of empty spaces Employee Handbook.pdf .exe Common windows processes running from nonstandard path
This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security EventID 4688 - New Process Created Can look for system compromise by looking for unusual processes Process ID numbers Look at parent process for suspicious relationships cmd.exe should not be parent of lsass.exe nor other way around Most user processes have parent Explorer.exe This document is licensed with a Creative Commons Attribution 4.0 International License 2017
Security EventID 4097 - Application Crash Many legit reasons for application to crash But could also be an attack such as a buffer overflow. Spear Phishing can cause crashes in Adobe Reader Adobe Acrobat Adobe Flash Microsoft Office If the windows Enhanced Mitigation Toolkit is running it will crash an application if it detects a memory manipulation exploit. This document is licensed with a Creative Commons Attribution 4.0 International License 2017
Security EventID 64006 - Windows File Protection Warning Windows File Protection monitors critical system files and attempts to prevent unauthorized software from modifying or changing those files Generates alerts when changes are attempted to these files Alerts here may indicate malicious activity This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Security Logs - Detecting Persistence
Create and Install a new service (EventID 4697) Create a new scheduled task (EventID 4968) Modify registry keys to start service at boot (EventID 4657) Disable virus protection The terminated unexpectedly.* (EventID 7034) The was successfully sent a .* (EventID 7035) The entered the stopped state.* (EventID 7036) The service was changed from.* (EventID 7040) This document is licensed with a Creative Commons Attribution 4.0 International License 2017
Security Logs - Detecting Lateral Movement Once an attacker is in one computer they often try to pivot to other machines in the network. If they have harvested valid credentials this can be difficult to detect. Need to look for unusual host to host network based logins. Triggers a Network Login event - EventID 4625 Usually be a type 3 login. RDP will be a type 10. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Examining Security.evtx for suspicious
logins Load the Security log into your prefered tool. Display all users who logged in. EventID 4624 Look for unusual accounts. Suppose we find SYSADMIN accounts. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Examining Security.evtx for suspicious logins Filter events where SYSADMIN is in Description field. This will display every event related to this user.
Ex: EventID 4720 Account Creation Ex: EventID 4624 Successful Logon Next maybe review types of logins Filter Logon Type equals 10 Now we can see every RDP logon made by this user. This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Questions? This document is licensed with a Creative Commons Attribution 4.0 International License 2017 Other useful tools
Fred (https://www.pinguin.lu/pkgserver) - A java based GUI tool for parsing windows event logs. This document is licensed with a Creative Commons Attribution 4.0 International License 2017
