Spotting the Adversary with Windows Event Log Monitoring
Spotting the Adversary with Windows Event Log Monitoring
Spotting the Adversary with Windows Event Log Monitoring
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
would have a <strong>Log</strong>onType of 3 using NTLM au<strong>the</strong>ntication where it is not a domain logon and not <strong>the</strong><br />
ANONYMOUS LOGON account. To clearly summarize <strong>the</strong> event that is being collected:<br />
<strong>Event</strong>ID <strong>Log</strong> Level <strong>Log</strong>onType Au<strong>the</strong>ntication Package Name<br />
4625 Security Information 3 NTLM<br />
<br />
<br />
<br />
*[System[(Level=4 or Level=0) and (<strong>Event</strong>ID=4625)]]<br />
and<br />
*[<strong>Event</strong>Data[Data[@Name='<strong>Log</strong>onType'] and (Data='3')]]<br />
and<br />
*[<strong>Event</strong>Data[Data[@Name='Au<strong>the</strong>nticationPackageName'] = 'NTLM']]<br />
and<br />
*[<strong>Event</strong>Data[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]<br />
and<br />
*[<strong>Event</strong>Data[Data[@Name='TargetDomainName'] != '']]<br />
<br />
<br />
<br />
<strong>Windows</strong> XP<br />
The QueryList for <strong>Windows</strong> 7 cannot be directly applied for <strong>Windows</strong> XP <strong>with</strong>out certain significant<br />
changes. Successful login and failed login event IDs are different along <strong>with</strong> <strong>the</strong> amount of detailed<br />
information regarding <strong>the</strong> login event. In <strong>Windows</strong> XP a successful network login and failed login will<br />
generate events 540 and 529, respectively.<br />
<strong>Event</strong>ID <strong>Log</strong> Level <strong>Log</strong>onType Au<strong>the</strong>ntication Package Name<br />
540 Security Success Audit 3 NTLM<br />
529 Security Failure Audit 3 NTLM<br />
<br />
<br />
<br />
*[System[(Level=4 or Level=0) and (<strong>Event</strong>ID=540) and Security[@UserID!='S-1-5-7']]]<br />
and<br />
*[<strong>Event</strong>Data[Data[2]!='' and Data[4]=3 and Data[6]='NTLM']]<br />
<br />
<br />
<br />
<br />
<br />
<br />
*[System[(Level=4 or Level=0) and <strong>Event</strong>ID=529 and Security[@UserID!='S-1-5-7']]<br />
and<br />
*[<strong>Event</strong>Data[Data[2]!='' and Data[4]=3 and Data[6]='NTLM']]<br />
<br />
<br />
<br />
4.10 Remote Desktop <strong>Log</strong>on Detection<br />
Remote account activity events are not easily identifiable using <strong>the</strong> GUI. When an account remotely<br />
connects to a client, a generic successful logon event is created. A custom Query Filter can aid in<br />
clarifying <strong>the</strong> type of logon that was performed. The query below shows logins using Remote Desktop.<br />
Remote Desktop activity should be monitored since only certain administrators should be using it, and<br />
<strong>the</strong>y should be from a limited set of management workstations. Any Remote Desktop logins outside of<br />
expected activity should be investigated.<br />
35