Windows Security Logs

Question 1

Event ID 1102

Answer 1

(The audit log was cleared): Clearing the audit log is often a sign of an attempt to remove evidence of an intrusion or malicious activity.

Question 2

Event ID 1116

Answer 2

(Antivirus malware detection): This event is particularly important because it logs when Defender detects a malware. A surge in these events could indicate a targeted attack or widespread malware infection.

Question 3

Event ID 1118

Answer 3

(Antivirus remediation activity has started): This event signifies that Defender has begun the process of removing or quarantining detected malware. It’s important to monitor these events to ensure that remediation activities are successful.

Question 4

Event ID 1119

Answer 4

(Antivirus remediation activity has succeeded): This event signifies that the remediation process for detected malware has been successful. Regular monitoring of these events will help ensure that identified threats are effectively neutralized.

Question 5

Event ID 1120

Answer 5

(Antivirus remediation activity has failed): This event is the counterpart to 1119 and indicates that the remediation process has failed. These events should be closely monitored and addressed immediately to ensure threats are effectively neutralized.

Question 6

Event ID 4624

Answer 6

(Successful Logon): This event records successful logon events. This information is vital for establishing normal user behavior. Abnormal behavior, such as logon attempts at odd hours or from different locations, could signify a potential security threat.

Question 7

Event ID 4625

Answer 7

(Failed Logon): This event logs failed logon attempts. Multiple failed logon attempts could signify a brute-force attack in progress.

Question 8

Event ID 4648

Answer 8

(A logon was attempted using explicit credentials): This event is triggered when a user logs on with explicit credentials to run a program. Anomalies in these logon events could indicate lateral movement within a network, which is a common technique used by attackers.

Question 9

Event ID 4656

Answer 9

(A handle to an object was requested): This event is triggered when a handle to an object (like a file, registry key, or process) is requested. This can be a useful event for detecting attempts to access sensitive resources.

Question 10

Event ID 4672

Answer 10

(Special Privileges Assigned to a New Logon): This event is logged whenever an account logs on with super user privileges. Tracking these events helps to ensure that super user privileges are not being abused or used maliciously.

Question 11

Event ID 4698

Question 12

Event ID 4700 & Event ID 4701

Answer 12

(A scheduled task was enabled/disabled): This records the enabling or disabling of a scheduled task. Scheduled tasks are often manipulated by attackers for persistence or to run malicious code, thus these logs can provide valuable insight into suspicious activities.

Question 13

Event ID 4702

Answer 13

(A scheduled task was updated): Similar to 4698, this event is triggered when a scheduled task is updated. Monitoring these updates can help detect changes that may signify malicious intent.

Question 14

Event ID 4719

Answer 14

(System audit policy was changed): This event records changes to the audit policy on a computer. It could be a sign that someone is trying to cover their tracks by turning off auditing or changing what events get audited.

Question 15

Event ID 4738

Answer 15

(A user account was changed): This event records any changes made to user accounts, including changes to privileges, group memberships, and account settings. Unexpected account changes can be a sign of account takeover or insider threats.

Question 16

Event ID 4771

Answer 16

(Kerberos pre-authentication failed): This event is similar to 4625 (failed logon) but specifically for Kerberos authentication. An unusual amount of these logs could indicate an attacker attempting to brute force your Kerberos service.

Question 16

Event ID 4776

Answer 16

(The domain controller attempted to validate the credentials for an account): This event helps track both successful and failed attempts at credential validation by the domain controller. Multiple failures could suggest a brute-force attack.

Question 17

Event ID 5001

Answer 17

(Antivirus real-time protection configuration has changed): This event indicates that the real-time protection settings of Defender have been modified. Unauthorized changes could indicate an attempt to disable or undermine the functionality of Defender.

Question 18

Event ID 5140

Answer 18

(A network share object was accessed): This event is logged whenever a network share is accessed. This can be critical in identifying unauthorized access to network shares.

Question 19

Event ID 5142

Answer 19

(A network share object was added): This event signifies the creation of a new network share. Unauthorized network shares could be used to exfiltrate data or spread malware across a network.

Question 20

Event ID 5145

Answer 20

(A network share object was checked to see whether client can be granted desired access): This event indicates that someone attempted to access a network share. Frequent checks of this sort might indicate a user or a malware trying to map out the network shares for future exploits.

Question 21

Event ID 5157

Answer 21

(The Windows Filtering Platform has blocked a connection): This is logged when the Windows Filtering Platform blocks a connection attempt. This can be helpful for identifying malicious traffic on your network.

Question 22

Event ID 7045

Answer 22

(A service was installed in the system): A sudden appearance of unknown services might suggest malware installation, as many types of malware install themselves as services.