WINDOWS EVENT LOGS & FINDING EVIL

Windows Event Logs are an invaluable part of the Windows Operating System, storing logs from different sections of the system including the system itself, applications running on it, ETW providers, services, and others. Windows event logging offers comprehensive logging capabilities for application errors, security events, and diagnostic information. Understanding how to handle these logs is important for security professionals to be able to protect, analyze, and optimize their systems.

Detecting DLL Hijacking in Event Viewer

This image represents a legitimate signature on a Sysmon image load event in Event Viewer, note the signature status and that “MMC.exe” loaded “psapi.dll”, which is also Microsoft-signed.

I was tasked with being able to identify Hijacked Dlls. To detect a hijacked DLL there has to be a hijacked DLL, so I started by identifying a Hijackable executable. Utilizing this reflective DLL and renaming the reflective DLL to WININET shown in the blog post and moving both this file and calc.exe to a writable such as Desktop shows these results when I run calc.exe

Now when we inspect these actions in Event Viewer, the events details in XML look like this.

Note this is unsigned and the signature status is now unavailable. We have successfully detected a Hijacked DLL!

Get-WinEvent

Get-WinEvent is a PowerShell Cmdlet that allows us to view, filter, and analyze Windows event logs. Using this CLI tool allows us to automate tasks and utilize scripts, such as parsing through thousands of logs to pinpoint logs with specific properties pertinent to our task. Some use cases I find Get-WinEvent thrives in are as follows.

Viewing Event logs with Excessive Failed Logins:

With this simple command, you can use -FilterHashtable to pass the parameters as a key-value pair. Event ID 4625 is used to represent failed logon attempts in log ‘Security’, and now we are given information that can be important for potential investigations.

Searching for Unsigned DLLs by Analyzing Event Logs:

Inspecting the loading of unsigned DLLs can help us identify a DLL-related attack such as DLL Hijacking which was demonstrated via GUI above. This command allows us to search in the event log file for event ID 7 (Image loading in Windows) in which the 12th property of the event equals false. The 12th property means the 12th line in the event details shown above and queries if the DLL is signed or not.

Searching for Credential Dumping Attack by Analyzing Event Logs:

lsass.exe is responsible for managing user credentials and is a primary target for credential dumping attacks. When searching for credential dumping attacks you can search in your logs for Event ID 10 (ProcessAccess), meaning a process opened another process. After filtering event codes you look further down the command and see we are filtering for properties once again, this time for Objects with the 8th line (Target Process) of their XML log containing the string “lsass.exe”. Now when reviewing these logs your IOC will be uncommon files accessing lsass.exe

This Certification has been an eye-opening experience for me personally on how much I enjoy working with and learning about computers. I have been sitting down to study and the first time I look at the clock 4 hours have flown by, this course has engaging material and I am learning so much every time I sit down with it. If anyone reading this has a hunger to get their hands dirty in some labs, break things, and get frustrated before finally triumphing sometime later I highly recommend this course.