Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

Windows 7 ID Level Event Log Event Source Account Lockouts 4740 Informational Security Microsoft-Windows-Security-Auditing User Added to 4728, Informational Security Microsoft-Windows-Security-Auditing Privileged Group 4732, 4756 Successful User 4624 Informational Security Microsoft-Windows-Security-Auditing Account Login Failed User 4625 Informational Security Microsoft-Windows-Security-Auditing Account Login Account Login with Explicit Credentials 4648 Informational Security Microsoft-Windows-Security-Auditing Windows XP Table 16: Windows 7 Account Activity Events ID Type Event Log Event Source Account Lockouts 644 Success Audit Security Security Failed Login 529 Failure Audit Security Security Successful Login 528 Success Audit Security Security User Initiated Logoff 551 Success Audit Security Security Account Login with Explicit 552 Success Audit Security Security Credentials Successful Network Login 540 Success Audit Security Security User Account Created 624 Success Audit Security Security Change Password Attempt 627 Success Audit Security Security User Added to Privileged Group 632, 636, 660 Success Audit Security Security Table 17: Windows XP Account Activity Events 4.8 Kernel Driver Signing Introduction of kernel driver signing in the 64-bit version of Windows Vista significantly improves defenses against malicious drivers or activities in the kernel. Any indication of a protected driver being altered may indicate malicious activity or a disk error and should warrant investigation. Windows 7 33
Detected an invalid image hash of a file Detected an invalid page hash of an image file Code Integrity Check Failed Kernel Driver Loading ID Level Event Log Event Source 5038 Informational Security Microsoft-Windows- Security-Auditing 6281 Informational Security Microsoft-Windows- Security-Auditing 3001, 3002, 3003, 3004, 3023 Warning, Error Microsoft-Windows- CodeIntegrity/Operational Microsoft-Windows- CodeIntegrity 219 Warning System Microsoft-Windows- Kernel-PnP Table 18: Windows 7 Kernel Driver Signing Events 4.9 Pass the Hash Detection Tracking user accounts for detecting Pass the Hash (PtH) requires creating a custom view with XML to configure more advanced filtering options. The event query language is based on XPath. The recommended QueryList below is limited in detecting PTH attacks. These queries focus on discovering lateral movement by an attacker using local accounts that are not part of the domain. The QueryList captures events that show a local account attempting to connect remotely to another machine not part of the domain. This event is a rarity so any occurrence should be treated as suspicious. These XPath queries below are used for the Event Viewer’s Custom Views. Windows 7 The successful use of PtH for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. To clearly summarize the event that is being collected: EventID Log Level LogonType Authentication Package Name 4624 Security Information 3 NTLM In the QueryList below, substitute the section with the desired domain name. *[System[(Level=4 or Level=0) and (EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data='3')]] and *[EventData[Data[@Name='AuthenticationPackageName'] = 'NTLM']] and *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']] and *[EventData[Data[@Name='TargetDomainName'] != '']] A failed logon attempt when trying to move laterally using PtH would trigger an event ID 4625. This 34
Page 1 and 2: National Security Agency/Central Se
Page 3 and 4: List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37: ID Level Event Log Event Source Eve
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on

Spotting the Adversary with Windows Event Log Monitoring

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?