Section 2.2: Intrusion Analysis: Event Log Analysis Flashcards
What are the Event log name files when searching for them inside a server?
SecEvent.evt, AppEvent.evt, and SysEvent.evt. The path is: %systemroot%\System32\config.
What are the Event log name files when searching for them inside a client PC?
Security.evtx, Application.evtx, and System.evtx. The path is: %systemroot%\System32\winevt\logs. The location of the path can be changed inside the registry and remotely.
What is the registry location to change the event log path and the storage options?
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application (or Security or System). The storage options can be overwritten, archived, and do not overwrite.
What does the Security log monitor?
User authentication and logon, user behavior/actions, File/Folder/Share access, security settings and group policies. LSASS is what updates the security log.
What does the System log monitor?
Logs about Windows services, system components, drivers and resources.
What does the Application log monitor?
Software events unrelated to the operating system. Ex: SQL server fails to access database, A/V, etc.
What does the Custom log monitor?
Custom applications such as: Task Scheduling, Terminal Services, Powershell, WMI, Firewall. Server items applies as well such as: Directory Services, DNS Server, File Replication, and Service logs.
What categories does the Security log record?
Account logon, Account mgmt, Directory service, Logon Events, Object access, Policy change, Priviledge use, Process Tracking, and System Events.
What is the difference between Account logon events and Logon events?
Logon events tracks logging on/off of a local system while Account logon events is tracking accounts authorized by the domain controller.
Describe the Directory Service category inside the Security log.
Attempting access of Active Directory objects.
Describe Object Access category inside the Security log.
Access to objects identified in system access control list.
Describe System events category inside the Security log.
Auditing for things like when a computer restarts or shuts down or any event that affects the system security or security log.
What are all the analysis scenarios investigators want to look into when searching event logs?
Account usage, tracking lateral movement, suspicious services, application installation, event log clearing, malware execution, process tracking, and capturing command lines and scripts.
Relevant Event IDs for account usage.
4624- Successful logon
4625- Failed logon
4634/4647- Successful logoff
4648- Logon through explicit credentials (RunAs)
4672- Logon as Administrator
4720- Account created
4726- Account deleted
Name the five fields analysts review when reviewing an event log record.
The account name, timestamp, logon type, Event ID, and computer (where the event was recorded on).
What is the executable name that runs Windows Event viewer?
eventvwr.exe
Logon type codes
2- Via Console (keyboard, server KVN, virtual client)
3- Network logon (SMB/RDP)
4- Batch logon
5- Service logon
7- Creds used to unlock/lock screen (RDP reconnects)
8- Network logon sending creds in cleartext
9- RunAs logon
10- RDP logon
11- Cached creds used for logon
12- Cached remote (like Type 10)
13- Cached unlock (like Type 7)
How do I identify logon sessions?
By looking into the Logon ID. This field can determine how long a user was logged through their respective logon/off IDs tied to a similar Logon ID. Its most effective with Logon Types 2, 10, 11, & 12.
Why isnt Logon type 3 work the same as the other interactive logon types when identifying logon sessions?
Type 3 will do logon/off when doing remote shares immediately. This applies even if, for example, a remote word document remains open.
What is the Linked Logon ID?
It ties session to the Logon ID of any other authentication events. Ex: Admin logins generate two sessions (high and low session). A non-admin account will have zeroes on Linked Logon ID.
What are the Windows built-in accounts?
SYSTEM, Local service, Network service, DWM, UFMD, & ANONYMOUS LOGON
Event IDs for auditing account creation
4722- user account was enabled
4724- an attempt was made to reset an account’s password
4728- member added to a security-enabled global group
4732- member was added to a security-enabled local group
4735- a security-enabled local group was changed
4738- a user account was changed
4756- a member was added to a security-enabled universal group
Event IDs for Remote Desktop Protocol and its key features for when analyzing them.
4778- session was reconnected
4779- session was disconnected
These IDs both record IP address and hostname of the system that established the connection. To see what OUTSIDE system connected through RDP, check the RECEIVING system. Only one session can be established to a system at a time so it will disconnect one if another is attempted to be established.
When seeing Event ID 4778, what is so suspicious in seeing a Client name such as DESKTOP-I6IPE98?
It is a random Windows-generated name. Generated names is not normal inside an enterprise so it is suspicious.
What can an IP address of 192.168.30.10 indicate?
A VPN address concentrator
When RDP Logon IDs dont match, what can I do to find them?
Search for earliest non-terminated session by the same user.