Skip to main content

Analyzing windows event log for malicious activity





What is windows event log?
Windows event log is a record of a computer's alerts and notifications such as errors, warning and other information.

There are a lot of System Information and Event Management (SIEM) tools out there that collects and analyzes logs and monitors for security threats, these softwares offers many advance and somewhat features.

In this article, we are going to explore windows event viewer to perform a simple security analysis and create a simple custom view for monitoring.

We are going to use the following event ID 4672 - Special privileges assigned to new logon.
This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. There are reasons why we need to monitor for such event, we usually give our employees a standard user rights and hackers can perform privilege escalation (e.i. Metaspoit’s meterpreter script getsystem that will use a number of different techniques to attempt to gain SYSTEM level privileges).  

Sample list of event IDs:

ID
Message
4672
Special privileges assigned to new logon.
4673
A privileged service was called.
4674
An operation was attempted on a privileged object.
5140
A network share object was accessed.
5142
A network share object was added.
5145
A network share object was checked to see whether the client can be granted desired access.

A list of event IDs can be found here:
 https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008-r2



To do this, click on start button, search for event viewer, right-click on event viewer and run it as an administrator then you will see a window as shown below.


We are going to filter the result to only show special privilege logon. Follow the steps below.



Now you can analyze whether this special logon associated with time if it was authorized. 



Next, we are going to create a custom view to monitor special logon.



Here we are naming it as Custom Special Logon.



Now we can click on this tab every time we want to check for special logons. 



There are a lot of configuration options available, make a custom view that suits your need.

Now that you have a basic event analyzing skill, think of this situation. A malware infects a computer in your network that can leverage its privilege and can map a network and performs a copy maybe of itself.
You may want to investigate a series of event IDs to include 5140 and 4672, refer to the table I created above.

Security tools such as metasploit framework has its meterpreter a command called clearev which clears the event log. This capability is not new to elite hackers which can craft their own custom tools. A cleared event log should ring your loudest bell available.







For more info and references:
https://technet.microsoft.com/en-us/library/cc766401(v=ws.11).aspx
https://www.petri.com/monitoring-windows-event-logs-for-security-breaches
https://www.manageengine.com/products/active-directory-audit/windows-security-eventlog-monitoring.html
https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008-r2
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
http://resources.infosecinstitute.com/relevance-of-windows-eventids-in-investigation/


Comments

Post a Comment

Popular posts from this blog

Install Snort IDS in Windows

Install Snort IDS in Windows In this article, we are going to install Snort on windows, perform basic configuration then add snort rules. Snort can also be configured as an intrusion prevention system, but in our case, we will just configure snort as an IDS. Carry out the following steps Download and install Snort and Winpcap Download snort rules Configure snort.conf file Run snort that displays alert on console Run snort that saves alert to a file ============================================================= Step 1: Note: Install snort and winpcap as an administrator. Download winpcap https://www.winpcap.org/ and install it as an administrator, just let it install with default settings. Restart your computer. Download snort installer exe at https://www.snort.org/downloads and install it as an administrator, just choose defaults configuration where you only have to click “I Agree”, “Next” , “Next” , “Next”, “Close” and “Ok”. ==============
Post a Comment
Read more

Mapping the cyber security world with GIS

Using GIS software to develop a cyber map for analysis of cyber attacks globally helps IT security understand cyber world and to identify vulnerabilities in cyber networks which allow security teams to prioritize their work and solve areas with the potential to do the most damage first. Below are some cyber map images develop with GIS software. The accuracy of the data is not guaranteed and mostly referenced to the work of Cyber Security Insides on the following link. https://www.cybersecurity-insiders.com/list-of-countries-which-are-most-vulnerable-to-cyber-attacks/  http://gis.usc.edu/blog/gis-and-cybersecurity/
1 comment
Read more

Kivred on windows - Latest cyber threat intelligence on your finger tips

Kivred on windows - Latest cyber threat intelligence on your finger tips I just recently compiled kivred to an exe for ease of use. You can download the zip file, extract and run kivred.exe. You don’t have to install because the software is portable. The file can be downloaded on my github repo  https://github.com/CodesInTheShell/kivred . Let’s try to check for the latest threats as of July 13 2017 to July 14 2017. Number 1 is our settings, check out http://hailataxii.com/ for more available feeds. Number 2 are indicators of URL Watchlist identified to be a part of phishing attack. Number 3 is the scrollbar, scroll down to check more indicators. Note that you may experience kivred not responding while it is running in the background, just wait for about a minute. That's it, stay up to date with the latest cyber security threats folks. There will always be a storm coming.
Post a Comment
Read more