Hey folks, Today i will talk about How Windows Logging Work
Let’s Dive in!!
First of all we should know the Importance of Understanding Log Collection.
we know that log collection is SIEM’s duty but as an analyst that want to improve his capability you should know how your windows store these logs and how to see it real-time and how to read it…etc
1- improve your capability as an analyst not just an analyst who uses some tools without know the root about these tools.
2- Understanding logs is understanding the available tools.
so let’s get back to answer the question:
Logs are records of events that happen in your computer, either by a person or by a running process. They help you track what happened and troubleshoot problems.
Event Viewer
The Windows Event Logs are not text files that can be viewed using a text editor. However, the data are XML-formatted .evtx
files and they stored in C:\Windows\System32\winevt\Logs
- Note: File must be interpreted with tool
- Cannot read directly like linux log text files
There are 3 main ways of accessing these event logs within a Windows system:
- Event Viewer (GUI-based application)
- Wevtutil.exe (command-line tool)
- Get-WinEvent (PowerShell cmdlet)
i will explain Event Viewer and Get-WinEvent, let’s talk about event viewer first
we can open it using windows search and type event viewer or you can right-click on windows icon and select event viewer or we can use CLI and type eventvwr.msc
so after open event viewer we will see the following:
Event Viewer has an intuitive user interface. The main screen is divided into three sections:
- The pane on the left provides a hierarchical tree listing of the event log providers and they called ( channels ).
- The pane in the middle will either display a general overview and summary or the events specific to a selected channel.
- The pane on the right is the actions pane.
1- Channels Pane
The Channels pane is where you choose the event log to view. By default, there are five channels of Windows logs More info Microsoft :
Application – Information logged by applications hosted on the local machine.
Security – Information related to login attempts (success and failure), elevated privileges, and other audited events.
Setup – Messages generated when installing and upgrading the Windows operating system. If the Windows system is a domain controller, those messages are also logged here.
System – Messages generated by the Windows operating system.
Forwarded Events – Events forwarded by other computers when the local machine is functioning as a central subscriber.
There is also a section for Applications and Services Logs, including channels for Hardware Events, Internet Explorer and Windows PowerShell events, windows defender events..etc, you better take a look by yourself.
actually these channels are files they are .evtx
files stored in your system you can try to read them by right-clicking on any channel then choose properties you will see all the details about the channel
One other thing you should know before dive into next pane, What is the Windows Log Path?
From prev photo we noticed that there is something in the middle called Windows Event Log Service, this the service that allowed the windows to record all your logs so if you want to know if it enabled or no you can check it by typing Services in windows search and navigate to windows event log and you should see the following
if you noticed it is enabled by default and in the left the description of the service and what it does,
after gets the data will filter the data based on their channels and we have discussed the channels… for example: found a logon attempt so it will put the log in the security
channel because this channel is holding the logon attempts success and failure and so on… Let’s Continue
2- Detail pane
There are 5 types of events that can be logged. Below is a table from docs.microsoft.com providing a brief description for each.
Each event has a type Level:
Focus your attention on the middle pane. Remember from earlier that this pane will display the events specific to a selected provider
In this case, Security Channel.
select security channel.
This section has 2 tabs: General and Details.
- General is the default view, and the rendered data is displayed.
- The Details view has 2 options: Friendly view and XML view.
in XML view this what the log actually looks like, and if you want to see the real fields that your SIEM agent will picking up and dealing with they are inside XML view
Now Let’s Dive into Practical Example.
as an analyst i want to see the logon attempts that will happen on my PC either success and failure
First thing i have to know what Information Gets Written, to know if it configured or not, these are the sources the logs getting written from
as I said I want to know the logon attempts so from prev photo i should go to Local Security Policy and search for logon service to configure it to audit the logon attempts:
it is not configured so i have to configure it: right-click on it then properties
first let’s navigate to explain section to see what is does
it allows me to audit all events that are belong to logon attempts on the computer…
that what we’re looking for, next thing is to configure it on success and failure attempts from policy section.
mark this 2 options to audit success and failure and now let’s try to login
there are no logs yet now i will lock my pc and try to login but i will type wrong password 1 time to see the both success and failure logs.
now i got a lot of logs
Note: success and failure each of them has a unique EventID that you can use it to get all the events related to them
this a list of Microsoft Event IDS Microsoft
Event ID | Potential Criticality | Event Summary |
4624 | Low | An account was successfully logged on. |
4625 | Low | An account failed to log on. |
now i can use 4625 to see the failure login attempts.
i got 1 log after filtering the logs which includes these details
Failure Reason: is reason that happened to make the process failed like in login i typed wrong password, take a look at all the highlighted texts and understand it well.
now time to see the success log details using this event id: 4624
i got many more logs but we will depend on the time
If you noticed i highlighted common thing between them something called: Logon Type: 5 or 2
what is the logon type then: the type of logon which was performed. The table below contains the list of possible values for this field.
I Will Leave to You the Last pane discover it by yourself and now let’s move to something else
New Scheduled Task Event ID: 4698
Event ID | Potential Criticality | Event Summary |
4698 | Low | A scheduled task was created. |
4699 | Low | A scheduled task was deleted. |
4700 | Low | A scheduled task was enabled. |
4701 | Low | A scheduled task was disabled. |
4702 | Low | A scheduled task was updated. |
Service Creation: Windows Event ID 7045
Actually this Event ID is not listed in Microsoft Events ID but Service Creation is another way the attackers use for persistence or use the computer resources for mining cryptocurrency
USB Plug & Play: Event ID 6416
In order to track if there is any devices that plugged in into your PC follow those steps:
1- Enable the USB Logging option by accessing the Event Viewer:
By going to Local Security Policy
read the explain first to know what is does and then enable success and failure
now back to event viewr and use the Event ID
Windows Defender: Event IDs 1006 / 1116
This an example for windows defender when i ran a malicious file on my pc and i was enable real-time protection windows defender made an alert and log this event you can see windows defender logs from
Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational
PowerShell Logs: Windows Event ID 4104
So First we need to turn audit policy on by follow those steps:
1- go to edit group policy > Administrative Templates > Windows Components > Windows PowerShell
2- we will pick Turn on PowerShell Script Block Logging
then turn it on like this
after this back to event viewer and navigate to Applications and Services Logs > Microsoft > Windows > PowerShell > Operational
to see the logs, once you opened the powershell and filter the logs by its event id yo’ll notice that there is a log has fade in it tells you powershell opened
then write any command in my case i will use whoami
BONUS
if you arrived here, i want to tell you good job you made a big progress 😃
Last thing in this topic about Get-WinEvent
PowerShell Command
If you want to get Details For Specific Event ID you can use the following commands:
$logs = Get-WinEvent -ListProvider Microsoft-Windows-Security-Auditing
then:
$logs.events | where-object {$_.id -eq EVENT_ID} | fl *
– Don’t Forget to Replace EVENT_ID with the event id that you want to get data about.
Channels of Interest for the analyst
Mapping ATT&CK to Windows Event IDs
Indicators of attack (IOA) uses security operations to identify risks and map them to the most appropriate attack. In order to address different security scenarios with your SIEM, the link below maps Windows Event ID by tactic and technique.
©️ Author/Credits: @mdecrevoisier
EVTX-to-MITRE-Attack
Summary
—
– Resources i used for this topic
– Thanks For Reading..