FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  • Windows Event Logs Overview
  • Analyzing Windows Event Logs with EventLogExplorer and EvtxECmd
  • Windows Defender event Log Analysis
  • Analyzing Service Installs
  • Security Event Log and Authentication Events
  • Authentication Events and Logon IDs
  • PowerShell Event Logs Overview
  • Detecting Malicious Events in Sysmon Event Logs
  1. Practical Windows Forensics

Uncover Malicious Activity with Windows Event Log Analysis

PreviousFinding Evidence of Persistence MechanismsNextWindows Memory Forensic Analysis

Last updated 4 months ago

Windows Event Logs Overview

Uncovering malicious activity with Windows Event Log Analysis involves examining specific logs to identify abnormal behaviors, trace attackers' activities, and understand the scope of an incident.

Path: C:\Windows\System32\winevt\logs

The target system logs are located at: C:\Cases\E\Windows\System32\winevt\logs

We can see our logs using Event Viewer.

Analyzing Windows Event Logs with EventLogExplorer and EvtxECmd

Let's open the Application.evtx log file in EventLogExplorer.

Let’s explore what can be achieved with this tool.

We can filter logs by Event ID, description text, time frame, and other criteria.

We can also use the EvtxCmd tool to analyze all event logs from the target system.

EvtxECmd.exe -d C:\Cases\E\Windows\System32\winevt\logs --csv C:\Cases\Analysis\EventLogs

Let's open this file using Timeline Explorer.

We can sort or filter using any of these columns.

Windows Defender event Log Analysis

Windows Defender, part of the built-in security suite in Windows, generates logs that provide detailed information about security-related activities on the system. These logs can be critical for detecting malicious behavior, monitoring threats, and troubleshooting security issues. Windows Defender logs events related to malware detection, scan results, real-time protection, and updates.

Source
Event ID
Description

Microsoft-Windows-Windows-Defender

5000

Defender Enabled

Microsoft-Windows-Windows-Defender

5001

Defender Disabled

Analyzing Service Installs

When a new service is installed or modified on a Windows system, it generates event logs that can provide valuable information about the service's installation, configuration, and any changes made. By analyzing these event logs, you can detect malicious activities, unauthorized service installations, or changes to legitimate services.

Event ID: 7045 (A new service was installed)

Let's open System.evtx log file using Event Log Explorer.

Let's filter by Event Id 7045.

Security Event Log and Authentication Events

The Security Event Log on Windows systems records significant security-related events, including user logons, logoff activities, authentication attempts, and account management actions. Analyzing these events helps to detect potential security incidents such as unauthorized access, privilege escalation, or lateral movement within a network.

Event ID: 4624 (Successful Logon)

Let's open the Security.evtx log file in Event Log Explorer and filter by Event ID 4624.

The Security ID (SID) is a unique identifier assigned to a user, group, or computer account in Windows. It is used internally by the operating system to manage access to resources and track actions performed by specific accounts.

  • S-1-5-18: Local System account.

  • S-1-5-19: Local Service account.

  • S-1-5-20: Network Service account.

Logon types describe how a user accessed the system. They are crucial for identifying the nature of an authentication event.

2

Interactive

Physical logon at a system (e.g., console).

3

Network

Access via network (e.g., SMB, web access).

10

RemoteInteractive

RDP or Terminal Services logon.

Let's filter by Account Name Sec504.

Authentication Events and Logon IDs

Logon ID is a unique hexadecimal identifier that correlates logon sessions across multiple event logs.

When you log in to a Windows system, it is common to see two logon hexadecimal IDs generated: one for a low-privilege session and another for a higher-privilege session. This behavior occurs because Windows uses User Account Control (UAC) to manage privilege levels for interactive logins.

  • Low-Privilege Logon ID:

    • When you log in interactively, Windows first creates a standard user session by default, even if you are an administrator.

    • This session operates under a low-privilege token to reduce the risk of accidental or malicious changes to the system.

    • It is associated with a Logon Type 2 (Interactive Logon).

  • High-Privilege Logon ID:

    • If you perform an action that requires administrative rights (e.g., running a program as an administrator), UAC creates a second session with a high-privilege token.

    • This session is linked to your account but is treated as a separate process requiring explicit elevation.

    • This elevated session will have its own Logon ID.

Logon IDs play a crucial role in forensic investigations by enabling analysts to correlate different activities and actions performed during a specific session.

Let's review the actions associated with Logon ID 0xe64e2.

Let's review the actions associated with Logon ID 0xe64b4.

We can see that a new user has been added to the Administrators group.

PowerShell Event Logs Overview

PowerShell provides detailed logging of its activities, which can be very useful in forensic investigations, especially when analyzing the execution of malicious scripts or tracking administrative activities. The logs capture events related to PowerShell script executions, command usage, and PowerShell module activities. These logs are particularly valuable for detecting malicious activity, lateral movement, or misuse of PowerShell for post-exploitation activities.

Event ID: 400 (Engine state is changed from none to available)

  • This event logs the start of a PowerShell script execution. It includes:

    • CommandLine: The PowerShell command or script that was run.

    • User: The user who initiated the command.

    • ScriptPath: The location of the script, if applicable.

  • Use Case: You can use this event to track the start of potentially malicious PowerShell scripts on the system.

Event ID: 403 (PowerShell script ended)

  • This event logs the completion of a PowerShell script execution. It records:

    • Exit Code: The exit status of the script (successful or error).

    • Duration: The time taken for the script to execute.

  • Use Case: Investigating the completion of PowerShell scripts, especially if the exit code indicates a failure or error during execution.

Two files are available. Let's load them into Event Log Explorer.

The HostApplication field in PowerShell event logs refers to the application that is running the PowerShell script or command. It helps identify which process is executing the PowerShell command. In the context of your example:

  • HostApplication: powershell.exe

    • This indicates that the PowerShell command is being executed from the PowerShell executable, meaning that a standard PowerShell process is running the command.

  • Command: {Remove-Item -path $env:TEMP\deleteme_T1551.004}

    • This is the PowerShell command being executed. In this case, the command is attempting to remove a file named deleteme_T1551.004 located in the TEMP directory.

Regularly monitor Event ID 4104 to detect potentially malicious commands being executed in your environment, especially from non-administrative users or unexpected processes. If a system is compromised, Event ID 4104 will show what scripts or commands were executed by the attacker, helping you trace their activity.

This command runs a PowerShell script that:

  1. Sets the variable $url to the location of a malicious Excel file (PhishingAttachment.xlsm) hosted on GitHub.

  2. Configures the PowerShell session to use TLS 1.2 for secure communication ([Net.ServicePointManager]::SecurityProtocol).

  3. Uses Invoke-WebRequest to download the malicious Excel file from the URL and saves it to the system's TEMP directory with the name PhishingAttachment.xlsm.

This type of command is typically used in phishing attacks, where a malicious file is downloaded and potentially executed to compromise the system.

Here's a brief explanation of what it does:

  1. Copying the Batch File:

    • It copies the file batstartup.bat from the source directory (C:\AtomicRedTeam\atomics\T1547.001\src\batstartup.bat) to two startup locations:

      • $env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat (for the current user).

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat (for all users).

  2. Executing the Batch File:

    • It uses Start-Process to run the batch file from both startup locations. This ensures that the batch file is executed every time the system starts, maintaining persistence.

Detecting Malicious Events in Sysmon Event Logs

Detecting malicious activity in Sysmon logs involves analyzing specific event IDs and correlating patterns of suspicious behavior. Sysmon, or System Monitor, provides detailed information about system activity that can be used to detect anomalies and threats.

  • Event ID 1: Process Creation

    • Logs every process start, including command-line arguments.

  • Event ID 3: Network Connection

    • Logs TCP/UDP connections made by processes.

  • Event ID 7: Image Load

    • Detects DLL injection or unusual libraries loaded into processes.

  • Event ID 8: CreateRemoteThread

    • Tracks threads created in the address space of another process.

  • Event ID 11: File Creation

    • Monitors file creation activities.

  • Event ID 12 & 13: Registry Key and Value Changes

    • Tracks changes to the registry.

  • Event ID 22: DNS Query

    • Logs DNS requests made by processes.

Let's open the "Microsoft-Windows-Sysmon" file and filter by Event ID 1 and the keyword "mavinject."

Let's filter for Event ID 3 to analyze network connections.