Threat Hunting for Windows Event Logs
Firewall, Windows Event Logs, and Linux Audit Logs are the most basic logs that strengthen our hands when we hunt threats in an institution’s cyber infrastructure. Precious data is created when our correlations in SIEM are enriched with Sysmon, Linux Auditd, and HIDS — NIDS Logs. In this article, we will look at how to detect various attacks on Windows Event Logs.
Windows Event Logs allow us to analyze many attacker actions and detect attacks. All versions of Windows maintain three main event logs:
- Application
- System
- Security
Here are the activity categories you can choose to audit:
- Audit account logon events
- Audit account management
- Audit directory service access
- Audit logon events
- Audit object access
- Audit policy change
- Audit privilege use
- Audit process tracking
- Audit system events
Now let’s skip these basics; Because there are already a lot of detailed articles about logging systems.
Suspicious Windows Event IDs
Event IDs specific to account logon events:
- 4624 (successful logon)
- 4625 (failed logon)
- 4634 (successful logoff)
- 4647 (user-initiated logoff)
- 4648 (logon using explicit credentials)
- 4672 (special privileges assigned)
- 4768 (Kerberos ticket (TGT) requested)
- 4769 (Kerberos service ticket requested)
- 4771 (Kerberos pre-auth failed)
- 4776 (attempted to validate credentials)
- 4778 (session reconnected)
- 4779 (session disconnected)
In addition to the Event IDs, we should also pay attention to the Logon Type. It will tell us how the relevant session is opened in Logon Type.
Forged Kerberos Tickets
The most commonly found kinds of forged tickets are:
- Golden Tickets
- Silver Tickets
Golden Tickets are fake Kerberos TGTs that can be used to request TGS tickets for any service on any computer in the domain.
To create a golden ticket;
- Domain SID
- Domain Name
- Domain KRBTGT Account NTLM password hash
- UserID for impersonation
Detection of Abnormal Golden Tickets
To detect the Golden Tickets, we need to check if the TGS requests came before the TGT request came. Also noteworthy is the triggering of Event ID: 4769 with status code 0x1F. Finally, we can identify suspicious TGT tickets by comparing the authentication ticket with the difference between StartTime and EndTime.
Detection of Abnormal Silver Tickets
To detect it, we have to check for invalid Privsvr signatures in Kerberos TGS.
Detect Password Attacks
The anomaly here will be when the condition “EventID=4625 AND Logon_Type=3” occurs several times.
Splunk Use Case for Detection;
index=WinEventLog EventID=4625 AND Logon_Type=3
| stats count as login_fail by user | search login_fail > 3
You can also exclude machine users while providing detection. You can add “user!=*$” to the search for this.
Detection of PowerView and BloodHound
We can track LDAP SearchRequests with DC Event Log 1644 to detect PowerView and BloodHound.
Detection of Abnormal Scheduled Tasks
Event IDs 4698 and 106, 200, and 201 are all related to scheduled tasks.
Detection of Abnormal Pass The Hash
In detecting Pass The Hash attacks, we should check Login Type 3 and Event ID 4624. Additionally, we should check if the Logon Process’s NtLmSsP and key length are set to 0.
Detection of Abnormal Network Shares
Event ID 4776 is specific to the NTLM protocol, so we should see Check Success or Check Failure. The Error Code will also inform us about this attempt.
Detection of Abnormal RDP Sessions
When looking for suspicious RDP sessions, we should look for Login Type 10 and Event IDs 4624–4778. In addition, we should check the expected unwanted accesses after 4624 and 4625.
Detection of Abnormal Service Creations
We should examine and track Event ID 4697.
We can also check on the machine from the registry hive below.
Windows Services Check
● SYSTEM\ControlSet00#\Service\
● SYSTEM\ControlSet00#\Service\<name>\Start
Detection of Remote Execution Through WinRM
It can be detected by establishing a relationship between Event ID 4624 and Sysmon Event ID 1. Specifically, we will see two logs with Sysmon Event ID 1 and Event ID 4624, whose ParentImage is C:\Windows\System32\winrshost.exe.
Detection of PsExec
We can check the triggers of 5145, 5140, 4697 / 7045, and 4688 / Sysmon EID 1 to detect PsExec.
Thank you for reading. See you soon :)
