What are the top EventLog IDs and ID Groups to watch out for indicators of compromise or indicators of attack?
Here’s a list below.
EventID 1102 — The audit log was cleared
This EventID is generated when Windows Security audit log was cleared.
Example: There should be no need to manually clear the Security event log in most cases, but the audit log can be cleared as part of a cleanup post incident.
EventID 1104 — The security log is now full.
This EventID is generated when the Windows security log becomes full, if the max size of the log file was reached and event log retention method is “Do not overwrite events (Clear logs manually)”.
Example: Attackers first changing the max retention size of a log, then flooding the log with events to reach its maximum log size. To mitigate, centralize logs to a log collection server or SIEM and look for gaps and stoppage.
EventID 4657 — A registry value was modified
This EventID is generated when there are changes — creation, modification and deletion — are made to the registry key value.
Example: Such modifications create holes or payloads to be used by malware.
EventID 4663 — An attempt was made to access an object
This EventID is logged when one or more requested permissions are exercised for the first time on an object.
Example: Can be invoked when, for example, Registry changes are made to hide malware payload in the Registry or to change Registry settings for further actions.
EventID 4688 — New process has been created
This EventID contains information as to how a program was executed, what started the process and under which account the program runs as.
Example: Use this ID for tracking of new processes created by rogue executables.
EventID 5140 — A network share object was accessed.
This event generates every time network share object was accessed and generates once per session when the first access attempt was made.
Example: Suspicious C shares or file share accessed, for example, by malware crawling shares.
EventID 5156 — The Windows Filtering Platform has allowed a connection
As the name states, the EventID is logged when Windows Firewall Network Connection has all allowed a connection to a host.
Example: Malware is conducting a reconnaissance from within the infected host, or malware process communication to an IP.
Group of IDs: Windows Domain Controller Events
Consider monitoring for groups of EventIDs associated with Windows Domain Controller like 617, 632, 636, 643, 660. Enhance logging on these to reduce attack surface.
Example: An attacker compromises a domain controller, which in turn provides them a path to wide scale propagation for additional damage to member services, workstations and Active Directory.
Group of IDs: Windows Defender Operational logs
Consider monitoring for groups of EventIDs associated with Windows Defender — after virus detection (1006–1009, 1116–1119) and also for the EventID emitted after an antivirus database update (2000) for Windows Defender logs.
Example: As the name suggests, log these IDs to monitor and respond against AV threats.
Group of IDs: EventID Group around account activities
When it is required to monitor account activities, there is no one single EventID. Consider new account log on (4624), log off events (4634 and 4647), failed log on event (4625). Also consider other EventIDs associated with failed logons such as 4776 and 4777. Changes to user accounts involve EventIDs 4725, 4726, 4724, 4732, new account creations 4720 and new accounts enabled 4722.
Example: Create a baseline of normal login events and monitoring for changes deviating from the baseline.