Threat Detection with

Windows Event Logs

Uncovering attacks that evade detection by

event viewer
• Threat detection is a constantly evolving and fast-paced sector in the
cyber security industry. It relies on keeping on top of the latest threat
trends and developing new methods to detect the latest tools, tactics
and procedures used by cybercriminals.
• Manually staying up to to date with every threat advancement is
virtually impossible, which is where a system threat detection tool
can aid this process.
• There are a variety of tools available for threat detection and threat
hunting at a range of prices, from free and open-source software to
premium threat intelligence and detection suites.
• One option is not only free but already has the (majority of its)
functionality built into your Windows operating system (OS):
Windows event logs.
• This article aims to briefly introduce the needle in the haystack of
Windows event logs.
• Specifically, the Event IDs/codes (this article will use ID/code
interchangeably) from the logs, how you can get the most out of
them, and the key event codes you should look out for.
What are they?
• The Windows event log is an administrative tool included in a
Microsoft OS for log management.
• It is responsible for generating and organising a comprehensive
recording of the actions and changes made in the system.
• They fall into 3 categories: system, security and application, with 4
classifications - these include error, warning, information and audit
success.
• Crucially, each log matches to an information specific event ID/code
which can be used to detect particular actions.
What’s so great
about event
IDs?
• One of the best resources available for discovering which attack
techniques match to which event IDs is “The Windows ATT&CK
Logging Cheat Sheet” by Malware Archaeology. It’s a great way to
quickly see how you can use the logs you’re probably already
ingesting that can be used to detect many techniques.
• In particular, according to the cheat sheet, Windows event IDs have
around 83% coverage of Windows specific enterprise attack
techniques (see top figure), which gives great spread across the
tactics on the MITRE ATT&CK framework (excluding Impact).
• Green coloured techniques have strong coverage and yellow have
some. As the cheat sheet was last updated in Q3 2018, it is missing
some new attack techniques that have been added to ATT&CK, which
can most likely also be detected using event logs.
• This really demonstrates its capabilities and shows why event logs are
such a crucial source for threat detection.
Which IDs should I look out for?
• Clearly, this will depend on what you’re trying to find — another
useful resource is the “Windows Security Log Events Encyclopedia” by
Ultimate IT Security, which comprehensively details event codes
across OS versions.
• Additionally, there are many research papers and blog posts that
make suggestions (see Recommended Reading). Here are some of the
most commonly recommended codes and why they’re useful.
• So, you know which attack techniques you want to look for, but don’t
know which event codes match up?
• Refer to Malware Archaeology’s handy cheat sheet from earlier to
map techniques to potential event codes that are related to your
environment.
• They even include some examples in another cheat sheet (Splunk
logging) for a useful starting guide if you’re using the Splunk SIEM like
I do.
• There are also guides for Humio & LOG-MD.
4 Stages of Development
• · Plan: For instance, I know that a recent report found that brute force
is a commonly used attack technique and we’ve had experience of it
in the past.
• · Identify: We look at the MITRE ATT&CK framework for a description
on the technique and use the event ID cheat sheet to find event
codes for that technique.
• · Test: Next, we create a search for that event ID in our logs and test it
(providing it’s being ingested).
• · Alert: Finally, an alert is created from an optimised search to
automate detection of the potential threat.
Demonstration in Splunk
• The demonstration will be in the SIEM Splunk, a powerful tool for
getting the most value out of Windows event logs and much more.
However, there are many other SIEM and log management tools
available.
Demo 1: Successful brute force attempts

Searching for Successful Brute Force Attempts

• Tactic: Credential Access
• Technique: Brute Force (T1110)
• Objective: Detecting a possible brute force attempt is an essential
detection and in particular a high priority alert would be the
occurrence of a successful brute force to critical accounts.
• Findings: This search uses event ID 4625 (unsuccessful login) followed
by event ID 4624 (successful login) which is grouped by user with the
use of the transaction command. We find that there are several
instances of an administrator account being attempted to be accessed
on one of the computers. By grouping these events an analyst can
gain a greater insight to the behaviour — all thanks to the power of
Windows event logs and Splunk.
Demo 2: Event clearing

Searching for Log Removal

• Tactic: Defense Evasion
• Technique: Indicator Removal on Host (T1070)
• Objective: The purpose of this search was to identify instances of
event log removal including the use of the log administration tool,
Wevtutil, as used by the malware, NotPetya.
• Findings: It looks for event ID 1102 to find the log created when
activity causing event log removal has occurred, and 4688 to find
instances of wevtutil. Although, it could be left to search for any new
process that occurs within a few seconds of event ID 1102 to find the
culprit process. In this case we suspected of Wevtutil being used and
sure enough the search confirmed that it was used for recursive
removal of logs across the OS.
Demo 3: Account manipulation
• Tactic: Credential Access
• Technique: Account Manipulation (T1098)
• Objective: Account modification is performed by adversaries
attempting to gain administrator privileges and change account
passwords. This search looks for suspicious accounts performing
alterations on attributes in other accounts that aren’t executed by
known admins.
• Findings: Event ID 4738 is generated every time a user object is
modified, such as changes to account passwords, UAC, privileges and
more. In this case, we find that user Billy Tun has been altering the
account svcvnc, including log on hours and group permissions. An
adversary may weaken account security to gain access to other
accounts for privileged escalation and persistence in a system. We
could correlate other activity performed by the suspicious account
around that time to gain better perception.
Conclusion
• As highlighted, the Windows event logs are a useful and easy to access method
for troubleshooting system issues, monitoring account activity and threat
detection. The capabilities for searching with event ID can be much more
comprehensive than those in the demos, but equally simple searches can be
highly effective due to the specificity of some event codes. Using event codes
alone won’t entirely help you detect threats in your organisation, plus they are
renowned for being noisy unless carefully configured. Despite this, event IDs are a
valuable and effective way to start. Making them likely to be the single best
source for insight for a Windows based estate.
• Furthermore, when used in conjunction the MITRE ATT&CK framework gives
defenders a greater understanding of how to use event IDs for detecting
adversary techniques, for a solid foundation to build upon. Additionally, utilising a
SIEM for log analysis and correlation further enriches threat detection and
response based on event IDs, to enable the full benefit of Windows event logs in
the fight against threats to your cybersecurity.