Windows Event Logs

by
This entry is part 12 of 22 in the series Threat Detection Engineering

Views: 38

Understanding Windows Event Logs

Each entry in the Windows Event Log is an “Event” and contains the following primary components:

  1. Log Name: The name of the event log (e.g., Application, System, Security, etc.).
  2. Source: The software that logged the event.
  3. Event ID: A unique identifier for the event.
  4. Task Category: This often contains a value or name that can help us understand the purpose or use of the event.
  5. Level: The severity of the event (Information, Warning, Error, Critical, and Verbose).
  6. Keywords: Keywords are flags that allow us to categorize events in ways beyond the other classification options. These are generally broad categories, such as “Audit Success” or “Audit Failure” in the Security log.
  7. User: The user account that was logged on when the event occurred.
  8. OpCode: This field can identify the specific operation that the event reports.
  9. Logged: The date and time when the event was logged.
  10. Computer: The name of the computer where the event occurred.
  11. XML Data: All the above information is also included in an XML format along with additional event data.

Windows logon types and logon codes

Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.  In Windows, there are several ways a logon can occur locally, and remotely. 

Logon TypeNumeric IdentifierDescriptionLogon Right
Used only by the system0System startup.
Interactive2User logging in at keyboard.Log on locally
Network3A very broad type that includes activity such as mapping network shares and running commands on remote systemsAccess this computer from the network
Batch4Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.Log on as a batch job
Service5A service started by the Service Control Manager.Log on as a service
Unlock7This workstation unlocked.
NetworkCleartext8A user logged on to this computer from the network. The user’s password passed on to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plain text.
Note: NetworkCleartext logons are generated when IIS (Internet Information Services) is configured to use HTTP basic authentication.
NewCredentials9This logon type does not seem to show up in any events. 
Microsoft Explanation: A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity but uses different credentials for other network connections.
RemoteInteractive10User logon via RDP.Log on through Terminal Services
CachedInteractive11A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
CashedRemoteInteractive12Logon that occurs when the remote system is away from the network DC.
CashedUnlock13Unlock that occurs when the remote system is away from the network DC.

Critical Windows Event IDs To Monitor

Logon events

Microsoft’s basic security audit policy best practices suggest defining failure or success for account and general logon events.

Important Logon events to track

  • 4624: User successfully logged on to a computer
  • 4625: Attempt made to logon with unknown user name or bad password and failed
  • 4634: Logoff process completed for user
  • 4647: User Initiated logoff
  • 4648: User successfully logged on to a computer using explicit credentials while already logged on as different user
  • 4779: User disconnected terminal server or virtual host session without logging off
  • 4798: A user’s local group membership was enumerated.
  • 4799: A security-enabled local group membership was enumerated
  • 4820: A Kerberos Ticket-granting-ticket (TGT) was denied
  • 4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
  • 4822: NTLM authentication failed because the account was a member of the Protected User group
  • 4823: NTLM authentication failed because access control restrictions are required
  • 4824: Kerberos pre-authentication by using DES or RC4 failed because the account was a member of the Protected User group

Privilege use

  • 4103: PowerShell Module Logging
  • 4104: PowerShell Script Block Logging
  • 4656: Request to handle or access an object
  • 4658: Handle to an object was closed
  • 4659: Handle to an object was requested with intent to delete
  • 4660: Object deleted
  • 4663: Attempt to access object was made
  • 4664: Attempt to create a hard link was made
  • 4670: Object permissions were changed
  • 4672: Special Privileges Assigned to New Logon
  • 4673: Calling privileged service
  • 4674: Attempted operation on a privileged object
  • 4985: Transaction state change
  • 4691: Indirect access to an object was requested.
  • 4698: A scheduled task was created.
  • 4699: A scheduled task was deleted.
  • 4700: A scheduled task was enabled.
  • 4701: A scheduled task was disabled.
  • 4702: A scheduled task was updated.
  • 5051: File was virtualized

Important Events related to Windows Server

The following Event IDs can potentially indicate a high criticality event that applies to Windows Server 2022, Windows Server 2019, Windows Server:

  • 1100: The event logging service has shut down
  • 1101: Audit events have been dropped by the transport.
  • 1102: Audit log cleared
  • 1104: The security Log is now full
  • 4618: Monitored security event pattern occurred
  • 4649: Potential replay attack detected
  • 4719: Change to system audit policy
  • 4765: SID History added to an account
  • 4766: Failed attempt to add SID History to an account
  • 4794: Attempt at setting Directory Services Restore Mode
  • 4897: Role separation enabled
  • 4964: Special groups assigned new logon
  • 5124: Update to security setting on OCSP Responder Service


Events related to Microsoft Defender Antivirus

  • 1002: malware scan stopped before completing scan
  • 1003: malware scan paused
  • 1005: malware scan failed
  • 1006, 1116: malware or unwanted software detected
  • 1007, 1117: action to protect system performed
  • 1008, 1118: action to protect system failed
  • 1009: item restored from quarantine
  • 1012: unable to delete item in quarantine
  • 1015: suspicious behavior detected
  • 1119: critical error occurred when taking action

Common logon types and their attributes relative to credential theft:

Logon type#Authenticators acceptedReusable credentials in LSA sessionExamples
Interactive (also known as, Logon locally)2Password, Smartcard,
other		YesConsole logon;
RUNAS;
Hardware remote control solutions (such as Network KVM or Remote Access / Lights-Out Card in server)
IIS Basic Auth (before IIS 6.0)
Network3Password,
NT Hash,
Kerberos ticket		No (except if delegation is enabled, then Kerberos tickets present)NET USE;
RPC calls;
Remote registry;
IIS integrated Windows auth;
SQL Windows auth;
Remote Desktop Gateway
PsExec without explicit creds (ex:  PsExec \\server cmd);
PowerShell WinRM (ex:Enter-PSSession server)
Vulnerability scanners
Batch4Password (stored as LSA secret)YesScheduled tasks
Service5Password (stored as LSA secret)YesWindows services
NetworkCleartext8PasswordYesIIS Basic Auth (IIS 6.0 and newer);
Windows PowerShell with CredSSP
NewCredentials9PasswordYesRUNAS /NETWORK
RemoteInteractive10Password, Smartcard,
other		YesRemote Desktop (formerly known as “Terminal Services”)
  • Authenticators accepted – Indicates which types of authenticators are able to initiate a logon of this type.
  • Reusable credentials in LSA session – Indicates whether the logon type results in the LSA session holding credentials, such as plaintext passwords, NT hashes, or Kerberos tickets that could be used to authenticate to other network resources.

Useful Windows Event Logs

Find below an indicative (non-exhaustive) list of useful Windows event logs.

  1. Windows System Logs
    • Event ID 1074 (System Shutdown/Restart): This event log indicates when and why the system was shut down or restarted. By monitoring these events, you can determine if there are unexpected shutdowns or restarts, potentially revealing malicious activity such as malware infection or unauthorized user access.
    • Event ID 6005 (The Event log service was started): This event log marks the time when the Event Log Service was started. This is an important record, as it can signify a system boot-up, providing a starting point for investigating system performance or potential security incidents around that period. It can also be used to detect unauthorized system reboots.
    • Event ID 6006 (The Event log service was stopped): This event log signifies the moment when the Event Log Service was stopped. It is typically seen when the system is shutting down. Abnormal or unexpected occurrences of this event could point to intentional service disruption for covering illicit activities.
    • Event ID 6013 (Windows uptime): This event occurs once a day and shows the uptime of the system in seconds. A shorter than expected uptime could mean the system has been rebooted, which could signify a potential intrusion or unauthorized activities on the system.
    • Event ID 7040 (Service status change): This event indicates a change in service startup type, which could be from manual to automatic or vice versa. If a crucial service’s startup type is changed, it could be a sign of system tampering.
  2. Windows Security Logs
    • Event ID 1102 (The audit log was cleared): Clearing the audit log is often a sign of an attempt to remove evidence of an intrusion or malicious activity.
    • Event ID 1116 (Antivirus malware detection): This event is particularly important because it logs when Defender detects a malware. A surge in these events could indicate a targeted attack or widespread malware infection.
    • Event ID 1118 (Antivirus remediation activity has started): This event signifies that Defender has begun the process of removing or quarantining detected malware. It’s important to monitor these events to ensure that remediation activities are successful.
    • Event ID 1119 (Antivirus remediation activity has succeeded): This event signifies that the remediation process for detected malware has been successful. Regular monitoring of these events will help ensure that identified threats are effectively neutralized.
    • Event ID 1120 (Antivirus remediation activity has failed): This event is the counterpart to 1119 and indicates that the remediation process has failed. These events should be closely monitored and addressed immediately to ensure threats are effectively neutralized.
    • Event ID 4624 (Successful Logon): This event records successful logon events. This information is vital for establishing normal user behavior. Abnormal behavior, such as logon attempts at odd hours or from different locations, could signify a potential security threat.
    • Event ID 4625 (Failed Logon): This event logs failed logon attempts. Multiple failed logon attempts could signify a brute-force attack in progress.
    • Event ID 4648 (A logon was attempted using explicit credentials): This event is triggered when a user logs on with explicit credentials to run a program. Anomalies in these logon events could indicate lateral movement within a network, which is a common technique used by attackers.
    • Event ID 4656 (A handle to an object was requested): This event is triggered when a handle to an object (like a file, registry key, or process) is requested. This can be a useful event for detecting attempts to access sensitive resources.
    • Event ID 4672 (Special Privileges Assigned to a New Logon): This event is logged whenever an account logs on with super user privileges. Tracking these events helps to ensure that super user privileges are not being abused or used maliciously.
    • Event ID 4698 (A scheduled task was created): This event is triggered when a scheduled task is created. Monitoring this event can help you detect persistence mechanisms, as attackers often use scheduled tasks to maintain access and run malicious code.
    • Event ID 4700 & Event ID 4701 (A scheduled task was enabled/disabled): This records the enabling or disabling of a scheduled task. Scheduled tasks are often manipulated by attackers for persistence or to run malicious code, thus these logs can provide valuable insight into suspicious activities.
    • Event ID 4702 (A scheduled task was updated): Similar to 4698, this event is triggered when a scheduled task is updated. Monitoring these updates can help detect changes that may signify malicious intent.
    • Event ID 4719 (System audit policy was changed): This event records changes to the audit policy on a computer. It could be a sign that someone is trying to cover their tracks by turning off auditing or changing what events get audited.
    • Event ID 4738 (A user account was changed): This event records any changes made to user accounts, including changes to privileges, group memberships, and account settings. Unexpected account changes can be a sign of account takeover or insider threats.
    • Event ID 4771 (Kerberos pre-authentication failed): This event is similar to 4625 (failed logon) but specifically for Kerberos authentication. An unusual amount of these logs could indicate an attacker attempting to brute force your Kerberos service.
    • Event ID 4776 (The domain controller attempted to validate the credentials for an account): This event helps track both successful and failed attempts at credential validation by the domain controller. Multiple failures could suggest a brute-force attack.
    • Event ID 5001 (Antivirus real-time protection configuration has changed): This event indicates that the real-time protection settings of Defender have been modified. Unauthorized changes could indicate an attempt to disable or undermine the functionality of Defender.
    • Event ID 5140 (A network share object was accessed): This event is logged whenever a network share is accessed. This can be critical in identifying unauthorized access to network shares.
    • Event ID 5142 (A network share object was added): This event signifies the creation of a new network share. Unauthorized network shares could be used to exfiltrate data or spread malware across a network.
    • Event ID 5145 (A network share object was checked to see whether client can be granted desired access): This event indicates that someone attempted to access a network share. Frequent checks of this sort might indicate a user or a malware trying to map out the network shares for future exploits.
    • Event ID 5157 (The Windows Filtering Platform has blocked a connection): This is logged when the Windows Filtering Platform blocks a connection attempt. This can be helpful for identifying malicious traffic on your network.
    • Event ID 7045 (A service was installed in the system): A sudden appearance of unknown services might suggest malware installation, as many types of malware install themselves as services.

References

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor

https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter3

https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

Series Navigation<< SOC Home LAB: Elastic SIEM InstallationUseful Windows Event IDs >>