Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Windows Events log for IR/Forensics ,Part 1 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows Events log for IR/Forensics ,Part 1

In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .

Here is of the most useful events for Forensics/Incident response:

Event ID

Description

Log Name

4624

Successful Logon

Security

4625

Failed Login

Security

4776

Successful /Failed Account Authentication

Security

4720

A user account was created

Security

4732

A member was added to a

security-enabled local group

Security

4728

A member was added to a security-enabled global group

Security

7030

Service Creation Errors

System

7045

Service Creation

System

 

 

One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon  (Logon Type ) but Windows display this information as a number and here is a list of the logon type and their explanation

Logon Type

Explanation

2

Logon via console

3

Network Logon, A user or computer logged on to this computer from the network.

4

Batch logon

5

Windows Service Logon

7

Credentials used to unlock screen

8

Network logon sending credentials (cleartext)

9

Different credentials used than logged on user

10

Remote interactive logon (RDP)

11

Cached credentials used to logon

12

Cached remote interactive

13

Cached unlock (Similar to logon type 7)

 

In the next diary I would show some examples how to use PowerShell  to search Windows Events of a compromised system 

 

 

Basil

49 Posts
ISC Handler
Good one - would like to add more

Logon failure events

0xC0000064 User name does not exist
0xC000006A User name is correct but the password is wrong
0xC0000234 User is currently locked out
0xC0000072 Account is currently disabled
0xC000006F User tried to logon outside his day of week or time of day restrictions
0xC0000070 Workstation restriction
0xC00000193 Account expiration
0xC0000071 Expired password
0xC0000133 Clocks between DC and other computer too far out of sync
0xC0000224 User is required to change password at next logon
0xC0000225 Evidently a bug in Windows and not a risk
0xC000015b "The user has not been granted the requested logon"

Logon sessions

4647 user initiated logon
4800 Workstation Locked
4801 Workstation unlocked
4802 Screen saver loaded
4803 Screen saver dismissed
4778 RDP reconnected
4779 RDP disconnected

User account changes

4720 Created
4722 Enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 Disabled
4726 Deleted
4738 Changed
4740 Locked out
4767 Unlocked
4781 Name change
makflwana

17 Posts Posts
Should probably also include 4756 - user added to security enabled universal group
Jaybone

27 Posts Posts
I keep this one in Onenote... very relevant when troubleshooting Windows event logs:

Logon Types
Type 2 - Interactive (console login)
Type 3 - Network
Type 4 - Batch (scheduled tasks)
Type 5 - Services
Type 7 - Unlock
Type 8 - Network (cleartext)
Type 9 - NewCredentials (RunAs)
Type 10 - RemoteInteractive (RDP connections)
Type 11 - CachedInteractive (not connected to domain)
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!