Threat Detection with Windows Event Logs
Threat detection is a constantly evolving and fast-paced sector in the cyber security industry. It relies on keeping on top of the latest threat trends and developing new methods to detect the latest tools, tactics and procedures used by cybercriminals. Manually staying up to to date with every threat advancement is virtually impossible, which is where a system threat detection tool can aid this process. There are a variety of tools available for threat detection and threat hunting at a range of prices, from free and open source software to premium threat intelligence and detection suites. One option is not only free but already has the (majority of its) functionality built into your Windows operating system (OS): Windows event logs.
This article aims to briefly introduce the needle in the haystack of Windows event logs. Specifically, the Event IDs/codes (this article will use ID/code interchangeably) from the logs, how you can get the most out of them, and the key event codes you should look out for.
What are they?
The Windows event log is an administrative tool included in a Microsoft OS for log management. It is responsible for generating and organising a comprehensive recording of the actions and changes made in the system. They fall into 3 categories: system, security and application, with 4 classifications - these include error, warning, information and audit success. Crucially, each log matches to an information specific event ID/code which can be used to detect particular actions.
What’s so great about event IDs?
One of the best resources available for discovering which attack techniques match to which event IDs is “The Windows ATT&CK Logging Cheat Sheet” by Malware Archaeology. It’s a great way to quickly see how you can use the logs you’re probably already ingesting that can be used to detect many techniques.
In particular, according to the cheat sheet, Windows event IDs have around 83% coverage of Windows specific enterprise attack techniques (see top figure), which gives great spread across the tactics on the MITRE ATT&CK framework (excluding Impact). Green coloured techniques have strong coverage and yellow have some. As the cheat sheet was last updated in Q3 2018, it is missing some new attack techniques that have been added to ATT&CK, which can most likely also be detected using event logs. This really demonstrates its capabilities and shows why event logs are such a crucial source for threat detection.
If they’re so great, surely one of the first things an adversary would do once they’ve gained access to a system is to clear event logs to hide their activity? There’s an event code for that! Specifically 1102, which is created when the security audit log is cleared and lists the offending account name, security ID and logon ID. Furthermore, it can be correlated with other information such as event ID 4624 to identify the user’s session, or event ID 4688 to identify the guilty process (see Demo 2 for an example). Side note: there has been sophisticated malware known to avoid leaving traces of log removal, such as DanderSpritz.
Which IDs should I look out for?
Clearly, this will depend on what you’re trying to find — another useful resource is the “Windows Security Log Events Encyclopedia” by Ultimate IT Security, which comprehensively details event codes across OS versions. Additionally, there are many research papers and blog posts that make suggestions (see Recommended Reading). Here are some of the most commonly recommended codes and why they’re useful.
So, you know which attack techniques you want to look for, but don’t know which event codes match up? Refer to Malware Archaeology’s handy cheat sheet from earlier to map techniques to potential event codes that are related to your environment. They even include some examples in another cheat sheet (Splunk logging) for a useful starting guide if you’re using the Splunk SIEM like I do. There are also guides for Humio & LOG-MD.
Here is my current process in brief for the steps involved in using event IDs:
· Plan: For instance, I know that a recent report found that brute force is a commonly used attack technique and we’ve had experience of it in the past.
· Identify: We look at the MITRE ATT&CK framework for a description on the technique and use the event ID cheat sheet to find event codes for that technique.
· Test: Next, we create a search for that event ID in our logs and test it (providing it’s being ingested).
· Alert: Finally, an alert is created from an optimised search to automate detection of the potential threat.
Demonstration in Splunk
The demonstration will be in the SIEM Splunk, a powerful tool for getting the most value out of Windows event logs and much more. However, there are many other SIEM and log management tools available.
Demo 1: Successful brute force attempts
Tactic: Credential Access
Technique: Brute Force (T1110)
Objective: Detecting a possible brute force attempt is an essential detection and in particular a high priority alert would be the occurrence of a successful brute force to critical accounts.
Findings: This search uses event ID 4625 (unsuccessful login) followed by event ID 4624 (successful login) which is grouped by user with the use of the transaction command. We find that there are several instances of an administrator account being attempted to be accessed on one of the computers. By grouping these events an analyst can gain a greater insight to the behaviour — all thanks to the power of Windows event logs and Splunk.
Demo 2: Event clearing
Tactic: Defense Evasion
Technique: Indicator Removal on Host (T1070)
Objective: The purpose of this search was to identify instances of event log removal including the use of the log administration tool, Wevtutil, as used by the malware, NotPetya.
Findings: It looks for event ID 1102 to find the log created when activity causing event log removal has occurred, and 4688 to find instances of wevtutil. Although, it could be left to search for any new process that occurs within a few seconds of event ID 1102 to find the culprit process. In this case we suspected of Wevtutil being used and sure enough the search confirmed that it was used for recursive removal of logs across the OS.
Demo 3: Account manipulation
Tactic: Credential Access
Technique: Account Manipulation (T1098)
Objective: Account modification is performed by adversaries attempting to gain administrator privileges and change account passwords. This search looks for suspicious accounts performing alterations on attributes in other accounts that aren’t executed by known admins.
Findings: Event ID 4738 is generated every time a user object is modified, such as changes to account passwords, UAC, privileges and more. In this case, we find that user Billy Tun has been altering the account svcvnc, including log on hours and group permissions. An adversary may weaken account security to gain access to other accounts for privileged escalation and persistence in a system. We could correlate other activity performed by the suspicious account around that time to gain better perception.
Conclusion
As highlighted, the Windows event logs are a useful and easy to access method for troubleshooting system issues, monitoring account activity and threat detection. The capabilities for searching with event ID can be much more comprehensive than those in the demos, but equally simple searches can be highly effective due to the specificity of some event codes. Using event codes alone won’t entirely help you detect threats in your organisation, plus they are renowned for being noisy unless carefully configured. Despite this, event IDs are a valuable and effective way to start. Making them likely to be the single best source for insight for a Windows based estate.
Furthermore, when used in conjunction the MITRE ATT&CK framework gives defenders a greater understanding of how to use event IDs for detecting adversary techniques, for a solid foundation to build upon. Additionally, utilising a SIEM for log analysis and correlation further enriches threat detection and response based on event IDs, to enable the full benefit of Windows event logs in the fight against threats to your cybersecurity.
Thank you very much for reading!
What are your top codes to look for?
Use Splunk? Here’s the Splunk docs for how to configure Windows event log ingestion.
References & Suggested Reading:
(A more detailed) Definition of Windows Event Logs:
Malware Archeology’s Cheat Sheets:
Ultimate Security’s Windows Event ID Encylopedia:
MITRE ATT&CK Framework:
Presentation detailing using Event IDs for Threat Hunting with advanced examples including NotPetya, by Eric Conrad:
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1524493093.pdf
Article detailing potentially leaked NSA tools including log removal tool, Danderspritz, by Eduard Kovacs:
Great couple of blog posts by Splunk on key Event IDs to look for:
Splunk Documentation for using Windows event logs in Splunk:
