WINDOWS EVENT LOGS AND USING SYSMON
Event logs record events that occur while the system is running in order to understand the events taking place in the system and diagnose problems. As a blue team member it is very important to understand these. It can also be useful to combine event logs from multiple sources. This is where SIEM solutions come into play. SIEM tools such as Splunk and Elastic collect records from multiple sources and generate alarms for anomalies that occur. Threat detection and incident response are also among the many capabilities of SIEM solutions.
Event logs are not simple "txt" files that can be viewed with notepad, but can be converted to XML file type using the Windows API. Events are usually stored under the “C:\Windows\System32\winevt\Logs” folder with the “.evt” or “.evtx” extensions.
There are three main ways to access these event logs from within the Windows system.
- Event Viewer (Graphic Application)
- Wevtutil.exe (Command Prompt Tool)
- Get-WinEvent (Powershell cmdlet)
EVENT VIEWER
Event Viewer can be opened easily by right-clicking on the Windows logo in the lower left and selecting it. Or if you want to use Command Prompt for this, you can open it with the command “eventvwr.msc”.
Event Viewer consists of three panes as seen. The left pane gives us the event logs in a hierarchical fashion. The middle pane gives general information or specific information about the event we have chosen. On the right is the Actions pane for the actions that can be taken.
There are five event types. These:
Mistake: The type of event that indicates a significant problem.
Warning: It's not a big deal, but a problem that could happen in the future.
Information: The type of event that describes the situation when a successful event occurs.
Audit Success: The type of event that records successful security accesses.
Check Error: The type of event that records failed security accesses.
Right click on Windows Logs > Security and open the Properties tab.
Here, there is information such as the path of the log, its size, when it was created. You can also clear the log by clicking the "Clear Log" button. Let's select an event from any event log.
At the top are the level of the event, the date and time it occurred, its source, the event ID and category.
The middle part is divided into General and Details. The General pane provides information about the event that took place, and the Details pane includes the Easy and XML view.
Using the Actions tab on the far right, we can do things like filtering.
We examined the Event Viewer. Imagine having to sit down and manually review thousands of events. That doesn't sound very fun, does it? It would be great if we could write an automation for this. A tool with which we can query event logs via CMD. wevtutil.exeWe can meet these needs by using .
We can reach using Powershell Get-WinEvent Let's continue by examining the cmdlet. Example Syntax:
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
We can filter about events using the command line, but instead, we can use the more efficient FilterHashtable We will use the parameter.
You can assign variables using the table below.
Event ID's
While there are many Event IDs in use, we may need to learn about some. Knowing these speeds us up and helps us know where to look first.
Let's take a look at the IDs related to Windows Firewall.
A few IDs related to the Event Logs:
1100: Event log service turned off
1102: Audit log cleared
1104: Security log is full
1105: Event log automatic backup
And finally, a few useful IDs:
4782 : The password hash of an account has been accessed
4625 : Login failed
106 : The task is scheduled
4672 : Admin account logged in
SYSMON
SysMon is a tool within SysInternals that records system activities. It collects detailed and optimized event logs as well as identifying anomalies in the system. It has capabilities such as command line logging, logging DNS records, tracking network connections, tracking files created with ADS, getting file hashes of transactions (can be used as IOC), recording GUID values of transactions. It is widely used with SIEM tools. Events in SysMon content are stored in the Windows Event Viewer under Application and Service Logs > Microsoft > Windows > Sysmon > Operational.
SysMon needs a Config file to decide how to analyze the events it receives. This config file must be in XML format. You can create your own Config file or use commonly used SwiftOnSecurity Sysmon ConfigYou can download .
SysMon contains 24 types of event IDs. Let's examine a few of them.
Event ID 1 : Create a Transaction
Event ID 3 : Network connection
Event ID 7 : Image Uploaded
Event ID 8 : CreateRemoteThread : Registers other processes that inject code into other processes.
Event ID 11: File Creation Record
Event ID 12/13/14: Registry Registration
Event ID 15 : FileCreateStreamHash : Examines files created using Alternate Data Stream
Event ID 22 : DNS Record: Examines DNS queries and events.
USING SYSMON WITH EXAMPLES
Detecting Metasploit Framework Usage
Metasploit Framework generally uses ports such as 4444 , 5555 , 8888 . By default it is 4444. At this point, we can detect this if we add the following command to our Sysmon-Config file.
<RuleGroup name=”” groupRelation=”or”>
<NetworkConnect onmatch=”include”>
4444
5555
8888
</NetworkConnect>
</RuleGroup>
Detecting Mimikatz Usage
The Mimikatz tool is generally known for LSASS dumping. Normally, LSASS.exe should not be accessed other than svchost.exe. The command we will use to detect this is:
<RuleGroup name=”” groupRelation=”or”>
<ProcessAccess onmatch=”exclude”>
svchost.exe
</ProcessAccess>
<ProcessAccess onmatch=”include”>
lsass.exe
</ProcessAccess>
</RuleGroup>
When we filter the SourceImage as svchost.exe with onmatch=”exclude”, an alarm will be generated if there is another process accessing lsass.exe other than svchost.exe.
Resources:
Recommended Windows Event IDs to Have at Hand During Cyber Incident Response
https://tryhackme.com/room/windowseventlogs
https://tryhackme.com/room/sysmon
https://docs.microsoft.com/en-us/windows/win32/eventlog/event-types
https://docs.microsoft.com/en-us/windows/win32/eventlog/eventlog-key