Scribd
Upload
30 views

Module 4 - Event IDs-Logging-SIEMs

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views

Module 4 - Event IDs-Logging-SIEMs

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 98

4.

1 Introduction

4.2 Windows Event Logs

4.3 Windows Event IDs

4.4 Windows Event Forwarding

4.5 Windows Log Rotation & Clearing

4.6 PowerShell Logging

4.7 Tools

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
In the days of Windows XP, we knew of event logs but it was
something that was rarely referenced.

It was only referenced when there was a software or


hardware problem and users were intimidated by the type of
information they had to sift through to figure out what was
the cause of the problem.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


As incident response gained popularity, so did event logs.

The incident response process proved that these artifacts within


the operating system was invaluable source of information to
determine what actions took place on the machine.

So, event logs were no more looked as a troubleshooting tool but it


was looked at what it is and what it was designed to be.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


As hunters, if we’re not accustomed or trained to look at event log
data then that needs to change.

If we’re hunting for evil on the endpoints, the information we need


to look at is in those logs.

The upcoming slides will help you determine which logs are more
significant then others when we’re hunting for specific attack
signatures.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Windows Event Logs are built into all versions of Windows. It
allows us to audit and monitor software and hardware events
on the machine.

These events come from various sources such as applications


or the operating system itself. All of these events are stored in
a collection known as the event log.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


All versions of Windows maintain 3 core event logs:

• Application

• System

• Security

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Application
The Application event log contains events logged by various
applications and/or user programs.

These events include any errors or information that an application


is designed to report.

Host-based security tools, such as antivirus, often report to the


Application event log.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


System
The System event log contains events logged by various Windows
system components.

These events can include driver loads and unloads, network


configurations, Windows service events, etc.

Any events that are logged from Windows system components are
predetermined.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Security
The Security event log contains events related to Windows
authentication and security processes.

These events include valid and invalid logon attempts, account


creations, changes to user privileges, etc.

Local or Group Policy settings can configure exactly which security


events are logged.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


On Windows XP, Windows 2003, and any prior versions of
Windows, the default event log paths are as follows:
Event Log Event Log Path
Application %SYSTEMROOT%\System32\Config\AppEvent.evt
System %SYSTEMROOT%\System32\Config\SysEvent.evt
Security %SYSTEMROOT%\System32\Config\SecEvent.evt

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


With modern versions of Windows, beginning with Windows
Vista and Windows Server 2008, Microsoft made significant
changes to the event logging system.

The EVT format was eliminated for a XML-based format using


the EVTX extension.

The event log location of these files changed as well.


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Event Log Event Log Path
Application %SYSTEMROOT%\System32\Winevt\Logs\Application.evtx
System %SYSTEMROOT%\System32\Winevt\Logs\System.evtx
Security %SYSTEMROOT%\System32\Winevt\Logs\Security.evtx

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Under Windows Logs you will see 2 additional set of logs:

• Setup: logs contains events related to application


setup.

• Forwarded Events: logs is used to store events


collected from remote computers.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


It’s also worth mentioning that Microsoft added a new
category of event logs, a second set of logs, called
Applications and Services.

These logs are used by individual applications or system


components.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


These logs are saved in the same location as the 3 core logs
aforementioned.

A few examples of Windows components that maintain their


own logs: UAC, Windows Firewall with Advanced Security,
AppLocker, Sysmon, and PowerShell.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Why are event logs important?
• Monitor logons that failed or that were successful.
• Monitor system services that were created, started, or
stopped.
• Monitor specific application usage.
• Monitor changes to the audit policy.
• Monitor changes to user permissions.
• Monitor events generated by installed applications, such as
AV.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


So by now you should know what event logs are, where they
are located, why they are important, but how do we access
and view them?

The answer to that is the Event Viewer.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


You can access the Event Viewer by either double clicking the
evtx file directly, by typing “eventvwr” in the Search box, or
by navigating to Control Panel > Administrative Tools > Event
Viewer.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
In the previous slide we saw an error recorded within the System event
log related to Group Policy.

This particular event had an ID value of 1129. In the properties for this
particular event we were fortunate enough to get some clear
information as to why this error occurred but what happens when the
information is not clear?

Lucky for us Microsoft has a useful search engine called Events and
Errors Message Center.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
So we see that the EID (event ID) value is indeed useful and
Microsoft provided a utility to get more information about a
specific EID.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Note: At this point I will mention that if you are familiar with
Windows Event Logs and Event IDs, that Microsoft changed
some, if not all, of the Event IDs that you might remember
from Windows XP systems.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Example: On Windows XP the EID for a successful
network logon is 540 but in Windows 7 its 4624.

Note: Some EIDs remained the same between NT Kernel


5 & 6.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Now, let’s look at some Windows Event IDs that we should
monitor on our hunts.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Hunting Suspicious Accounts

When hunting for suspicious account creation, we can look


for Event ID 4720 (Account Created).

It doesn’t hurt looking at what is returned for this Event ID


and cross referencing with other departments to see if these
are legit accounts, especially service accounts.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

Other Event IDs specific to accounts are:


• 4624 (successful logon)
• 4648 (logon using explicit credentials)
• 4625 (failed logon)
• 4634 (successful logoff)
• 4647 (user initiated logoff)

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

There are other Event IDs specific to accounts.

To learn more, you can review the documents on Microsoft


here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

Its worth mentioning at this point regarding Logon Types.

In Event Logs we’ll see a numerical value referring to the


Logon type which will let us know how the account logged
into the system, such as an RDP session or interactive.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

Logon Type 2 is an interactive login (a user physically logged into the computer)
https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4624

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts
Logon Type Logon Title Description

2 Interactive A user physically logged onto this computer.


3 Network A user or computer logged on from the network.
4 Batch Used by batch servers where processes may be executing on behalf of a user,
like scheduled tasks.
5 Service A service started by the Service Control Manager.
7 Unlock The workstation was unlocked.
8 NetworkClear text Network credentials sent in cleartext.

9 NewCredentials A called cloned its current token and specified new credentials (runas
command).
10 RemoteInteractive A user logged onto computer using Terminal Services or RDP.

11 CachedInteractive A user logged onto computer using network credentials which was stored
locally on the computer.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Hunting Suspicious Accounts

Another piece of information to note regarding Event IDs


specific to accounts is the Logon ID.

The Logon ID will let us know which Event ID is part of which


logon session.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

Start of session, Event ID 4624 and sessions ends, Event ID 4634 or 4647.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

We will know the duration of the session by the timestamps at


logon and at logoff by looking at the Logged field.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts

Another Event ID to hunt for would be Event ID 4672 (Special


privileges assigned to new logon).

We would like to see if there are any unusual accounts logged into
machines with admin rights when it shouldn’t have admin rights or
hunting for local accounts being used to log into other machines
remotely, instead of using legitimate network accounts.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Suspicious Accounts
Keep in mind that we will have to look at different sources to determine
logon/session information via event logs.

Some event logs might be local to the workstation but some might be on
the server, such as the domain controller, or whatever other machine
that was accessed.

This shows the importance of having a central logging server, which we


discuss more in upcoming slides.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Password Attacks

We will be looking for Event ID 4625 (failed logon) and Logon Type 3
(network logon).

We will also be looking for a rapid succession of failed attempts to the


same machine, or machines, repeatedly for a small space of time with
each attempt.

Of course we know the attacker can change the timing of each attempt.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Pass The Hash

In a blog posting by David Kennedy (ReL1K) he shares a technique to


hunt for PTH attacks with a low false positive rate.

The Event ID to hunt for is Event ID 4624 with Logon Type 3. We should
also look for the Logon Process to be NtLmSsP and the key length to be
set to 0.

You can read more about this technique, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Golden Tickets

Oftentimes attackers leverage native Kerberos functionality.

For example, this is the case when a golden ticket is created. A golden
ticket is a forged Ticket-Granting Ticket that provides the attacker with
access to every network asset. You should therefore be familiar with
Kerberos-related Event IDs like 4768.

More about detecting Golden Tickets can be found here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting RDP Sessions

If your network environment is accustomed to a lot of RDP connections


into other machines then this can be difficult to hunt for.

When hunting for RDP sessions we’re looking for Event IDs 4778 & 4779
with Logon Type 10 (Terminal Services or RDP). Also note the expected
Event IDs after successful or failed authentication attempts.

You can also check out resources from the Threat Hunting Project, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Psexec

PsExec is a light-weight telnet-replacement that lets you execute


processes on other systems, complete with full interactivity for console
applications, without having to manually install client software.

You can read more about this tool from the Sysinternals website, here.

You can check out resources from the Threat Hunting Project, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting WMI Usage

In regards to hunting WMI usage, we’ll refer to a posting from


FireEye, where WMI is used to detect WMI.

You can read more about this technique here.

You can also refer to a Microsoft document titled Tracing


WMI activity, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Scheduled Tasks

Event ID 4698 (a scheduled task was created) is what we’ll


hunt for. Also Event IDs 106, 200, and 201 all relate to
scheduled tasks.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Scheduled Tasks

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Service Creations

Event ID 4697 (a service was installed in the system) is what


we’ll be hunting for to find the creation of suspicious services.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Service Creations

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Network Shares

Event ID 4776 is specific to the NTLM protocol and notifies us of success


or failed authentication attempts.

Under Keywords we should see either Audit Success or Audit Failure.


Error Code will also give us information about the authentication
attempt.

Reference the Microsoft documents for more information.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Network Shares

Other Event IDs specific to network shares are Event IDs 5140
and 5145.

In order to see these event logs a policy setting must be


enabled. This setting is within the Advanced Audit Policy
Configuration > Object Access > Audit File Share.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Network Shares

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Lateral Movement

For hunting for lateral movement, we’ll refer to a research


paper created by the Japan Computer Emergency Response
Team Coordination Center, here.

You can also check out resources from the Threat Hunting
Project here, here, and here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
As we can see, event logs are extremely useful but they’re
only useful if we have them.

These logs shouldn’t stay on the endpoint but rather should


be forwarded to a central server immediately.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


If this capability is not enabled currently in your environment,
enabling it is something you should considered immediately.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Please read these additional resources from Microsoft
regarding Windows Event Forwarding here and here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
If event logs are not forwarded, then they are risked of being
cleared (deleted) or rotated from the endpoint device.

To clear event logs, admin rights are needed.

The equivalent to clearing the event logs without admin rights is to


flood the endpoint with events to generate logs that will rotate the
logs in view within tools such as Event Viewer.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Event IDs to hunt for in regards to log clearing are Event IDs
1102 and 104.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Note that Event Logs are extremely difficult, if not impossible,
to tamper with.

Meaning an attacker can’t just modify an event log. Which is


good to know.

Again to avoid the logs being cleared or rotated on the


endpoint, they need to be forwarded to a central location.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Once these logs are at the central location, then the
discussion of log retention needs to be discussed.

Do you keep 1 week of logs, 1 month, 6 months, etc.?

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
If you have been a long time user of PowerShell then you
know that PowerShell has come a long way.

With version 5 we have logging features to track the usage of


PowerShell in our environments.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


PowerShell is often ignored but as time has progressed it has been
proven that PowerShell needs to be monitored for malicious
usage.

Attackers love nothing else like the concept of ‘living off the land.’

Why go through the trouble to drop tools onto a machine when


they can use what natively within the system?

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


To enable PowerShell Script Block Logging we need to enable
a few settings within the Administrative Template within
Group Policy.

The event logs will be visible under Applications and Services


Logs > Microsoft > Windows > PowerShell / Operational.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
We can enable Turn On Module Logging & Turn on
PowerShell Transcription as well, along with Turn On
PowerShell Script Block Logging.

Event IDs to hunt for are 4104, 4105 & 4106. Refer to
PowerShell <3 the Blue Team blog post, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Besides this, we can also capture command line input in
general. This can be accomplished by enabling Include
command line in process creation events via Group Policy.
We will need to hunt for Event ID 4688.

This is useful because if PowerShell is called via CMD and


PowerShell commands are executed, those events will be
captured. Regular commands via CMD will also be captured.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Sysmon

A tool we’re going to look at from Sysinternals is called


Sysmon.

System Monitor (Sysmon) is a Windows system service and


device driver that, once installed on a system, remains
resident across system reboots to monitor and log system
activity to the Windows event log.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Sysmon

“It provides detailed information about process


creations, network connections, and changes to
file creation time. By collecting the events it
generates using Windows Event Collection or SIEM
agents and subsequently analyzing them, you can
identify malicious or anomalous activity and
understand how intruders and malware operate on
your network.”

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Sysmon

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Sysmon

Sysmon has their on Event ID numbering system ranging from


Event ID 1 to Event ID 21, & 255.

For more information, you can reference the Events section of


the Sysmon page from Sysinternals here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Sysmon

Reference the module videos below on how to install,


configure, and use Sysmon to hunt.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Another invaluable item used within our hunts is a SIEM, Security
Information and Event Management platform.

This appliance will ingest various logs from various types of


security equipment, such as firewalls, IPS systems, even threat
intelligence feeds.

We can then create alerts, dashboards, and perform queries to sift


through thousands upon thousands of log data.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
There are various commercial SIEM products you can look at
and invest in, such as LogRythm, ArcSight, Splunk, QRadar,
and USM to name a few.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


ELK Stack

In this course we’ll be looking at ELK Stack to sift through


Windows Event Logs and PowerShell Logs for hunting for evil.

It’s a good choice because we’re not looking at any other


types of logs such as firewall, proxy, etc., just Windows logs.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


ELK Stack

The ELK Stack is comprised of 3 open source products:


Elasticsearch, Logstash, and Kibana.

All of these 3 open source products are from Elastic.

You can read more about the ELK Stack, including tutorials on
how to implement and use here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


ELK Stack

Should you use the ELK Stack or a traditional commercial


SIEM for your environment?

You can read this article, here & here, to look at pros and
cons to both.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


ELK Stack

Reference the module videos below on how to configure and


use ELK to sift through log data while hunting.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Macros with
Introduction to Sysmon
Sysmon

Hunting Code Injections


Introduction to ELK
with Sysmon

Hunting Mimikatz with Creating Visualizations


Sysmon in ELK

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Creating Dashboards in
ELK Hunting: Mimikatz
ELK

ELK Hunting: Keylogger ELK Hunting: Invoke-


and remote threads Mimikatz

ELK Hunting: Macros

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunting Responder

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


This concludes the module on Event IDs, Logging, and SIEMs.

We have covered:
✓ What are event logs?
✓ What event logs we need to focus on when hunting.
✓ The importance of log forwarding, log rotation, and retention.

✓ How to detect log clearing.


✓ How to enable PowerShell and command line logging.
✓ What is a SIEM and how to pick which is right for your organization.
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Event ID 4720 Event ID 4624

Event ID 4648 Event ID 4625

Event ID 4634 Event ID 4647

Audit User Accounts Event ID 4672

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Hunt PTH Event ID 4778

Event ID 4779 Hunt RDP

Hunt Psexec Hunt WMI

Tracing WMI Activity Event 4698

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Event ID 106 Event ID 200

Event ID 201 Event ID 4697

Event ID 4776 Event ID 5140

Hunting Lateral
Event ID 5145
Movement 1
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Hunting Lateral Hunting Lateral
Movement 2 Movement 3
Hunting Lateral Windows Event
Movement 4 Forwarding

Windows Event
Event ID 1102
Collector

PowerShell <3 Blue


Event ID 104
Teams
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Event ID 4688 Sysmon

Sysmon Events Elastic.co

Guide to ELK Stack ELK vs. SIEM

Splunk vs. ELK Event ID 4768

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved


Kerberos Golden
Ticket Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

You might also like