Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Event Log "If Google made $1 every time someone used them to find an answer to a tech support question, they would own Microsoft."

Similar presentations


Presentation on theme: "Windows Event Log "If Google made $1 every time someone used them to find an answer to a tech support question, they would own Microsoft.""— Presentation transcript:

1 Windows Event Log "If Google made $1 every time someone used them to find an answer to a tech support question, they would own Microsoft."

2 Overview Operating Systems Log Files & Why We Care
Windows Log File Format & Operations Configuration & Operation EVTX Format Windows Event Logging Framework Security Logs Records Protection of Security Logs Analysis and Events to Know Pulling it together

3 Welcome to the World of Operating Systems
Most everything we have done up until this point has been OS agnostic We explored low level concepts which live “beneath” the OS in a computer. The OS is contained within and interacts with these elements. Everything you have done so far could be done independent of the OS running on top of the disk and file system layers. Now we will move on up to examining the insides of an Operating System. The good news, this will be less technically challenging. The bad news, this will be less technically challenging.

4 What is an Operating System
System software that manages computer hardware and software resources and provides common services for computer programs. Intermediary between programs and the computer hardware Manages access to CPU, memory, storage, networking, I/O… Coordinates resource access between all applications running on a computer An OS is a huge, complex piece of software. At any given time a great many events take place within the OS. Event Logging is a standard, centralized method for the OS and applications to record important information coming from software and hardware.

5 Log Files - Why do we need them?
Auditing & Compliance Disaster Recovery Forensic Reconstruction Ultimately we want to correlate many apparently disparate artifacts to “paint a picture” or “complete the story” of our examination Recreate a sequence of events Confirm or Contradict our forensic hypothesis Consider a user who repeatedly changes system time to frustrate timelining – generates EventID 4616 (system time change)

6 Event Log Information What happened EventID & event category When
Timestamps Who User accounts involved Involved Systems In networked environments lots will reference accounts on remote systems Resources Accesses Almost any system resource can be considered an object subject to logging. Look for unauthorized access or access attempts to resources.

7 Windows Event Log Stored in %SystemRoot%\System32\Winevt\Logs\
Files will have the “.evtx” extension. Log Overwrites - three options Overwrites oldest events when log runs out of space Overwrites events older than $num days Manual Clearing

8 Windows Event Log Log Thoroughness Depends on audit policy
Audit policy set by Sysadmins based on what they think is relevant Can be managed using group policies Can have bad defaults Win 7 defaulted to no auditing Audit Policy stored in HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv

9 Windows Event Log History
Older Windows versions used a logging system called “Event Logging.” NT, 2000, XP, 2003, and prior This was a much more limited format holding far less information Newer versions of Windows use the “Windows Event Log” mechanism. Vista, Server 2008, and newer Uses a modern, XML based format Changed all the event ID numbers Fortunately the new EventID numbers are just the old numbers += 4096.

10 EVTX Format New format introduced in Vista & Server 2008
Replaced the depreciated Windows NT 4.0 EVT format See pages 4-7 for a complete, thorough listing: windows-event-logging-32949

11 EVTX Format Event Properties (non-exhaustive)
Source - Software that logged the event EventID - number identifying the event type Level - Classification of event severity User - user on whose behalf the event occured OpCode - numeric value describing activity app performing when raising the event, e.g. closing Date & Time Process ID Thread ID

12 EVTX Event Levels Error - significant problems such as loss of data or functionality Warning - not a significant problem yet, e.g. low disk space Information - successful operation of applications or services, e.g. services started Success Audit - notification that an audited event completed successfully, e.g. successful user logon Failure Audit - notification that an audited event did not complete, e.g. failed device access

13 EVTX Format XML Document See page 10 for example of XML formatting
windows-event-logging-32949 [Google Slides decided that I’m not allowed to insert images into this presentation] For a nearly complete listing of EventID numbers see: a/Default.aspx

14 EVTX Format File Structure Small header 64Kb chunks loaded as needed
Improves performance through reduced resource usage Less likely sysadmins will turn off logging to increase performance

15 Windows Event Logging Structure
Two channel groups Windows Logs Application and Services Logs

16 Windows Event Logging Categories
Windows Event Log channels: Application.evtx events logged by applications or programs Security.evtx Valid and invalid logon attempts Events relating to resource use Creating/Opening/Deleting a file/object

17 Windows Event Logging Categories
Windows Event Log channels: System.evtx Events logged by Windows system components E.g. driver failure, failure of system component to load Setup.evtx Application setup related events ForwardEvents.evtx Stores events collected from remote computers

18 Windows Event Logging Categories
Application and Service Logs Many individual channels which publish events from single application or components Each channel has two subtypes each with two further subtypes Serviced - can be forwarded / collected remotely Operational Used to analyze and diagnose problems or occurrences Connect to wifi access point Examiner can look up access point MAC geoloction data:

19 Windows Event Logging Categories
Application and Service Logs Serviced - can be forwarded / collected remotely Admin Indicated problems with well defined solutions admins can act on

20 Windows Event Logging Categories
Application and Service Logs Direct - cannot be forwarded / collected remotely Analytic Published in high volume Describe program operations Indicate problems that cannot be handled by user intervention Debug Events used by developers to troubleshoot their programs

21 Windows Event Logging Categories
Servers Often have extra logfiles dedicated to server operations Directory Service Records events from Active Directory and services based on it File Replication Server Records events about updates between Domain Controllers DNS Server Records zone management events Records DNS server operations e.g. start, stop

22 Security Logs These records hold: Audit Events
User Activity covered by local or group audit policies Some information that can be logged Account Logon - Events which authorize the user, could be on workstation or Domain Controller Account Management - Account maintenance and modification Logon Events - Every logon or logoff event on the local system Directory Service - attempts to access objects of the active directory

23 Security Logs Some information that can be logged
Object Access - Access to objects which have their own access control list Policy Change - Modifications of user’s rights and audit policies Privilege Use - Each case of an account exercising a user right. Process Tracking - Start, stop, object access of processes. System events - Start & Shutdown events.

24 Security Logs Examples of useful events EventID 4624: Successful Logon
EventID 4625: Failed Login EventID 4776: Successful / Failed Authentication EventID 4720: A user account was created EventID 4732: A member was added to a security-enabled local group EventID 4728: A member was added to a security-enabled global group

25 Security Logs Table of Logon Codes for EventIDs 4624/4625
2 - Interactive (logon at keyboard and screen of system) 3 - Network (i.e. connection to shared folder on this computer from elsewhere on network) 4 - Batch (i.e. scheduled task) 5 - Service (Service startup) 7 - Unlock (i.e. unnattended workstation with password protected screen saver) 8 - NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.

26 Security Logs Table of Logon Codes for EventIDs 4624/4625
9 - NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 10 - RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) 11 - CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

27 Security Logs Integrity Protections
No general API for writing to Security event log. API only available to Local Security Authority System Service (LSASS) LSASS responsible for applying security policies to the system Administrator permissions required to review, export, or clear Security event log

28 Security EventID 4688 - New Process Created
Can look for system compromise by looking for unusual processes Close misspellings of common process names Begins with a lowercase drive letter Suggests process started by command line or from script or bash file Long string of empty spaces “Employee Handbook.pdf exe” Common windows processes running from nonstandard path

29 Security EventID 4688 - New Process Created
Can look for system compromise by looking for unusual processes Process ID numbers Look at parent process for suspicious relationships cmd.exe should not be parent of lsass.exe nor other way around Most user processes have parent Explorer.exe

30 Security EventID 4097 - Application Crash
Many legit reasons for application to crash But could also be an attack such as a buffer overflow. Spear Phishing can cause crashes in Adobe Reader Adobe Acrobat Adobe Flash Microsoft Office If the windows Enhanced Mitigation Toolkit is running it will crash an application if it detects a memory manipulation exploit.

31 Security EventID 64006 - Windows File Protection Warning
Windows File Protection monitors critical system files and attempts to prevent unauthorized software from modifying or changing those files Generates alerts when changes are attempted to these files Alerts here may indicate malicious activity

32 Security Logs - Detecting Persistence
Create and Install a new service (EventID 4697) Create a new scheduled task (EventID 4968) Modify registry keys to start service at boot (EventID 4657) Disable virus protection The terminated unexpectedly.* (EventID 7034) The was successfully sent a .* (EventID 7035) The entered the stopped state.* (EventID 7036) The service was changed from.* (EventID 7040)

33 Security Logs - Detecting Lateral Movement
Once an attacker is in one computer they often try to pivot to other machines in the network. If they have harvested valid credentials this can be difficult to detect. Need to look for unusual host to host network based logins. Triggers a Network Login event - EventID 4625 Usually be a type 3 login. RDP will be a type 10.

34 Examining Security.evtx for suspicious logins
Load the Security log into your prefered tool. Display all users who logged in. EventID 4624 Look for unusual accounts. Suppose we find “SYSADMIN” accounts.

35 Examining Security.evtx for suspicious logins
Filter events where “SYSADMIN” is in Description field. This will display every event related to this user. Ex: EventID 4720 Account Creation Ex: EventID 4624 Successful Logon Next maybe review types of logins Filter Logon Type equals 10 Now we can see every RDP logon made by this user.

36 Questions?

37 Other useful tools Fred ( - A java based GUI tool for parsing windows event logs.


Download ppt "Windows Event Log "If Google made $1 every time someone used them to find an answer to a tech support question, they would own Microsoft.""

Similar presentations


Ads by Google