Section 2.2: Intrusion Analysis: Event Log Analysis Flashcards

1
Q

What are the Event log name files when searching for them inside a server?

A

SecEvent.evt, AppEvent.evt, and SysEvent.evt. The path is: %systemroot%\System32\config.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the Event log name files when searching for them inside a client PC?

A

Security.evtx, Application.evtx, and System.evtx. The path is: %systemroot%\System32\winevt\logs. The location of the path can be changed inside the registry and remotely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the registry location to change the event log path and the storage options?

A

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application (or Security or System). The storage options can be overwritten, archived, and do not overwrite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does the Security log monitor?

A

User authentication and logon, user behavior/actions, File/Folder/Share access, security settings and group policies. LSASS is what updates the security log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the System log monitor?

A

Logs about Windows services, system components, drivers and resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the Application log monitor?

A

Software events unrelated to the operating system. Ex: SQL server fails to access database, A/V, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the Custom log monitor?

A

Custom applications such as: Task Scheduling, Terminal Services, Powershell, WMI, Firewall. Server items applies as well such as: Directory Services, DNS Server, File Replication, and Service logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What categories does the Security log record?

A

Account logon, Account mgmt, Directory service, Logon Events, Object access, Policy change, Priviledge use, Process Tracking, and System Events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between Account logon events and Logon events?

A

Logon events tracks logging on/off of a local system while Account logon events is tracking accounts authorized by the domain controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the Directory Service category inside the Security log.

A

Attempting access of Active Directory objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe Object Access category inside the Security log.

A

Access to objects identified in system access control list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe System events category inside the Security log.

A

Auditing for things like when a computer restarts or shuts down or any event that affects the system security or security log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are all the analysis scenarios investigators want to look into when searching event logs?

A

Account usage, tracking lateral movement, suspicious services, application installation, event log clearing, malware execution, process tracking, and capturing command lines and scripts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Relevant Event IDs for account usage.

A

4624- Successful logon
4625- Failed logon
4634/4647- Successful logoff
4648- Logon through explicit credentials (RunAs)
4672- Logon as Administrator
4720- Account created
4726- Account deleted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name the five fields analysts review when reviewing an event log record.

A

The account name, timestamp, logon type, Event ID, and computer (where the event was recorded on).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the executable name that runs Windows Event viewer?

A

eventvwr.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Logon type codes

A

2- Via Console (keyboard, server KVN, virtual client)
3- Network logon (SMB/RDP)
4- Batch logon
5- Service logon
7- Creds used to unlock/lock screen (RDP reconnects)
8- Network logon sending creds in cleartext
9- RunAs logon
10- RDP logon
11- Cached creds used for logon
12- Cached remote (like Type 10)
13- Cached unlock (like Type 7)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How do I identify logon sessions?

A

By looking into the Logon ID. This field can determine how long a user was logged through their respective logon/off IDs tied to a similar Logon ID. Its most effective with Logon Types 2, 10, 11, & 12.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why isnt Logon type 3 work the same as the other interactive logon types when identifying logon sessions?

A

Type 3 will do logon/off when doing remote shares immediately. This applies even if, for example, a remote word document remains open.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the Linked Logon ID?

A

It ties session to the Logon ID of any other authentication events. Ex: Admin logins generate two sessions (high and low session). A non-admin account will have zeroes on Linked Logon ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the Windows built-in accounts?

A

SYSTEM, Local service, Network service, DWM, UFMD, & ANONYMOUS LOGON

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Event IDs for auditing account creation

A

4722- user account was enabled
4724- an attempt was made to reset an account’s password
4728- member added to a security-enabled global group
4732- member was added to a security-enabled local group
4735- a security-enabled local group was changed
4738- a user account was changed
4756- a member was added to a security-enabled universal group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Event IDs for Remote Desktop Protocol and its key features for when analyzing them.

A

4778- session was reconnected
4779- session was disconnected
These IDs both record IP address and hostname of the system that established the connection. To see what OUTSIDE system connected through RDP, check the RECEIVING system. Only one session can be established to a system at a time so it will disconnect one if another is attempted to be established.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When seeing Event ID 4778, what is so suspicious in seeing a Client name such as DESKTOP-I6IPE98?

A

It is a random Windows-generated name. Generated names is not normal inside an enterprise so it is suspicious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What can an IP address of 192.168.30.10 indicate?

A

A VPN address concentrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When RDP Logon IDs dont match, what can I do to find them?

A

Search for earliest non-terminated session by the same user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

If I was to be on a source system and wanted to find where it was using RDP to, where can I look?

A

In Security.evtx, search for 4648 (RunAs). Use also RDPClient%Operational.evtx and search ID 1024 for Dest. Host Name and 1102 Dest. IP address.

28
Q

If I was using a system to find RDP activity that it received from a different computer, where would I look?

A

In Security.evtx, search ID 4624 Type 10, 4778 & 4779. In RDPCore%4Operational.evtx (131, 98). RemoteConnectionManager%4Opertional.evtx (1149). LocalSessionManager%4Operational.evtx (21, 22, 25, 41).

29
Q

What are the Logon Event IDs?

A

NTLM Protocol:
4776- Successful/failed account authentication
Kerberos Protocol:
4768- authentication successful by granting time-limited ticket to user.
4769- service ticket requested (access to service resource)
4771- failed authentication

30
Q

Where are Logon Event IDs found?

A

They should be only found inside the domain/active directory on the DC. If they are found inside the workstation, search the local account. These IDs shouldnt be found on workstations since that indicates rogue accounts are being created on the local system.

31
Q

What are the NTLM (& Kerberos) logon error codes?

A

(0x6)0xC0000064- invalid username
(0x7)- requested server not found
(0xC)0xC0000070- logon from unauthorized workstation
(0x12)0xC0000234- Acct locked, disabled or expired
(0x17)0xC0000071- Password expired
(0x18)0xC000006A- Password invalid
(0x25)- Clock skew between machines is too great

32
Q

Give an event log analysis example of a priviledged local account being abused by means of passing-the-hash

A

Computer B has an event ID of 4776, (should be in DC only), in its system. The log has info saying that the Computer A was trying to authenticate a user that is present in Computer B. Other event IDs present are 4672 and 4624 Type 3 (SMB).

33
Q

Event IDs to track account and group recon

A

4798- a user’s local group membership was enumerated.
4799- a security-enabled local group membership was enumerated.

34
Q

Why were enumerating event IDs created in Win10+? What does adversary enumeration indicate?

A

To combat adversary tools that recon at scale such as Powerview by Powersploit, Empire, and Deathstar. This stage of the attack cycle means the attack is early still so mitigation is advised.

35
Q

Where can I enable enumeration event IDs?

A

Via Group policy Advanced auditing -> Account Management -> “Audit Security group management” and “Audit user group management”

36
Q

What is something an analyst must do when activating enumeration?

A

Filter the sensitive accounts that shouldnt be active to be enumerated as well as processes.

37
Q

What are some fields to review when observing enumeration logs?

A

The system doing the enumeration, the user, the event ID, the process that started the enumeration, and the group name that was being enumerated.

38
Q

Feature I didnt know about Event Log Explorer

A

Assist log review: it allows many log files to merge and can also be done on remote systems for live reviews.

39
Q

Name a feature EvtxECmd.exe does that I didnt know.

A

It can get event log files from Volumne Shadow Service (VSS) for deleted logs and deduplicates them.

40
Q

Network shares Event log IDs

A

5140- network share was accessed
5142-44- shares created, modified, or deleted
5145- shared object accessed (individual items)

41
Q

How to enable network sharing event IDs?

A

Go to Advance Audit Policy Configuration -> Object Access -> “Audit File share” & “Audit Detailed File share”

42
Q

How do I track adversary map sharing using Cobalt Strike in event logs?

A

Event ID 5140 will produce a ADMIN$ log and it may contain obscure information such as the IP being 127.0.0.1 and user account info. Cobalt does this. A paired 5140 log with IPC$ should cover the missing details of both missing information. Look for its corresponding 4624 too.

43
Q

If an Event ID of 5140 is present with just IPC$ and isnt paired with another log with ADMIN$ or C$, what does that mean?

A

Enumeration tools are being used to recon the network.

44
Q

Event ID to track RunAs logs

A

4648- Logon using explicit credentials

45
Q

Where are RunAs event logs stored?

A

On the source computer only, giving the analyst insight to where adversaries went. RunAs logs can appear on both source and target systems IF the attempt to switch credentials was during RDP.

46
Q

What is the anatomy on how RunAs events trigger if accounts were not switched?

A

Tools using new explicit credentials to authenticate other than the one that is present in memory will trigger this. Even if its the same credentials, the fact that the tool must provide it will trigger it.

47
Q

What characteristics describe the Cobalt Strike tool?

A

Cobalt Strike will trigger RunAs event log IDs. It creates a new logon session where adversary must type in explicit credentials (even if its the same as the one in memory), and it heavily relies on Powershell process. It can make a token or pth (pass-the-hash) to authenticate.

48
Q

Scheduled Tasks (Security log) Event IDs

A

106(4698)- Scheduled task created
141(4699)- Scheduled task deleted
(4700/4701)- Task enabled/disabled
200/201- Task executed/completed
140(4702)- Scheduled task updated

49
Q

Are modern Windows 10 OS have scheduled task logs enabled?

A

No. Enable through group policy.

50
Q

How do I find remote scheduled task logs?

A

Look for 4624 type 3 logs and task logs within the same time frame to verify connection since tasks logs dont differentiate from local to remote.

51
Q

Where are schedules tasks stored? Are the 32-bit code tasks stored in the same directory?

A

Tasks are stored inside C:\Windows\System32\Tasks. 32-bit code tasks are stored inside C:\SYSWOW64\Tasks. 32-bit tasks are NOT normal. When looking at the Task XML file, look under “Author” for remote system and user. To see if a different account was used to run the command, look at “UserID”.

52
Q

Event IDs for Services

A

7034- service crashed unexpectedly
7035- service sent a start/stop control
7036- service started or stopped
7040- start type changed (boot|on request|disabled)
7045- new service was installed
4697(security)- new service was installed

53
Q

What is SCM?

A

Service Control Manager. It transmits control requests to those services and maintains status information about those services.

54
Q

Where do I enable Event Log ID 4697?

A

“Audit Security System Extension” is enabled in group policy.

55
Q

What types of malware artifacts can I track through service log tracking?

A

Worms, PsExec, DLL and Process injections

56
Q

How does a service creation log containing Metasploit PsExec differ from a normal PsExec?

A

Metasploit has a powershell script running when the service is started. The malware is used for lateral movement.

57
Q

What is an advantage of having event ID 7045 when monitoring PsExec?

A

It logs PsExec as a new service creation every time it runs.

58
Q

Event log IDs for log clearing and name the executable responsible for clearing it out.

A

1102- security log was cleared
104- audit log cleared (system log)
Wevtutil.exe clears out logs.

59
Q

Who has priviledges to clear out logs?

A

Domain admin, local admin, and SYSTEM.

60
Q

What is a good practice when it comes to watching cleared logs?

A

Setting alerts when logs are cleared is highly advised.

61
Q

What are some event log attacks done by adversaries?

A

Danderspritz (eventlogedit), Mimikatz (event::drop), and Invoke-Phant0m (thread killing)

62
Q

What function does Danderspriz’s eventlogedit do to the event log system?

A

It changes log headers on OS so they wont show entries, but EvtxECmd tool can recover it when parsing.

63
Q

What function does Mimikatz’s event::drop do to the event log system?

A

It can stop from 1102 log from ever posting but will leave serious log gaps because the tool cannot turn event logs back on.

64
Q

What function does Invoke-Phant0m’s thread killing do to the event log system?

A

It goes to the system and kills the threads. It will continue to run but no longer log events.

65
Q

How can analysts mitigate event log compromise?

A

Log forwarding, logging “heartbeat”, and log gap analysis.