WEBVTT 0:00:03.880000 --> 0:00:06.280000 Windows Event Logging. 0:00:06.280000 --> 0:00:12.840000 So now that we have gotten an understanding of the types of log sources, 0:00:12.840000 --> 0:00:19.040000 we can start diving into the first category or first type of log source, 0:00:19.040000 --> 0:00:24.940000 which is endpoint logs, more specifically Windows Event Logs. 0:00:24.940000 --> 0:00:33.860000 In this case, we're looking at not just the logs themselves, which will 0:00:33.860000 --> 0:00:39.540000 actually take a closer look at as and when they become relevant. 0:00:39.540000 --> 0:00:44.020000 There's no point me just going through all the various types of important 0:00:44.020000 --> 0:00:51.220000 Windows Event Logs will be applying and adapting them when necessary. 0:00:51.220000 --> 0:00:57.040000 So when we get to a video, Owen will be going through a practical example 0:00:57.040000 --> 0:01:02.640000 of detecting and analyzing, let's say a malware attack that involves the 0:01:02.640000 --> 0:01:08.800000 execution of a PowerShell script and techniques like process, hollowing, 0:01:08.800000 --> 0:01:10.520000 so on and so forth. 0:01:10.520000 --> 0:01:17.660000 We'll then cover the Windows Event Logs, Event Log IDs, I should say, 0:01:17.660000 --> 0:01:20.220000 that are relevant to that type of activity. 0:01:20.220000 --> 0:01:24.500000 But with this video, the idea is to understand Windows Event Logging, 0:01:24.500000 --> 0:01:25.760000 which is quite important. 0:01:25.760000 --> 0:01:34.680000 And really, I would say most individuals or professionals within the information 0:01:34.680000 --> 0:01:39.360000 technology industry would be familiar. 0:01:39.360000 --> 0:01:45.620000 If you've used Windows, you probably know what Windows events are or the 0:01:45.620000 --> 0:01:55.560000 Windows Event Viewer is, but that is really not enough for an instant 0:01:55.560000 --> 0:02:01.140000 responder. So let's get started by understanding what exactly Windows 0:02:01.140000 --> 0:02:03.220000 Event Logging is. 0:02:03.220000 --> 0:02:08.540000 So Windows Event Logging is a built -in keyword, built-in mechanism that 0:02:08.540000 --> 0:02:13.800000 is used by the Microsoft Windows operating system to record and store 0:02:13.800000 --> 0:02:19.180000 information about system activity, application behavior, system events, 0:02:19.180000 --> 0:02:22.340000 and other operating system operations. 0:02:22.340000 --> 0:02:27.120000 So it's not just recording and storing information just about the operating 0:02:27.120000 --> 0:02:32.580000 system itself. You also have application behavior security events, which 0:02:32.580000 --> 0:02:37.740000 is sort of a category, a subcategory of Windows events, and pretty much 0:02:37.740000 --> 0:02:41.760000 any other operating system operations to do with drivers, the kernel, 0:02:41.760000 --> 0:02:46.920000 et cetera. So Windows Event Logging, by this point, as of me recording 0:02:46.920000 --> 0:02:53.040000 this video with Windows 11 being the latest release, is arguably the best, 0:02:53.040000 --> 0:02:58.180000 you know, is arguably the best when it comes to, you know, the operating 0:02:58.180000 --> 0:03:02.980000 systems out there, not just in terms of the organization and the fact 0:03:02.980000 --> 0:03:09.140000 that it's, by this point, already well known and understood. 0:03:09.140000 --> 0:03:13.260000 But the granularity of the event logs themselves. 0:03:13.260000 --> 0:03:18.020000 In any case, the key point is that these logs are a critical component 0:03:18.020000 --> 0:03:22.360000 for system auditing, troubleshooting, and security monitoring. 0:03:22.360000 --> 0:03:26.640000 And of course, we're primarily focused with security monitoring, right? 0:03:26.640000 --> 0:03:32.240000 But as I said, we'll start diving deeper into that aspect in relation 0:03:32.240000 --> 0:03:41.040000 to Windows Event Logs, specific, no pun intended, specific types of Windows 0:03:41.040000 --> 0:03:47.520000 Event IDs that are, let's say, important or relevant to us as incident 0:03:47.520000 --> 0:03:53.000000 responders. So that begs the question, you know, before we even start 0:03:53.000000 --> 0:04:01.160000 exploring or memorizing Windows Event IDs, we need to understand how logging 0:04:01.160000 --> 0:04:02.180000 works on Windows. 0:04:02.180000 --> 0:04:06.180000 Now, that may seem relatively simple or straightforward. 0:04:06.180000 --> 0:04:10.000000 You know, you do something like install software, and Windows somehow 0:04:10.000000 --> 0:04:19.340000 logs that activity within the appropriate categories of events. 0:04:19.340000 --> 0:04:21.660000 But that's not enough, really. 0:04:21.660000 --> 0:04:26.000000 We also need to know where the event logs are stored, so on and so forth, 0:04:26.000000 --> 0:04:32.020000 and what an event log, a Windows Event Log comprises of in terms of the 0:04:32.020000 --> 0:04:34.900000 information contained therein. 0:04:34.900000 --> 0:04:38.320000 So how logging works on Windows? 0:04:38.320000 --> 0:04:41.600000 Well, it all starts with event generation, right? 0:04:41.600000 --> 0:04:47.660000 So whenever an action occurs on the system, for example, a user logs in, 0:04:47.660000 --> 0:04:53.300000 a service starts, or a file is modified, Windows generates an event or 0:04:53.300000 --> 0:04:58.840000 an event log. Okay, now this event log or event includes the following 0:04:58.840000 --> 0:05:05.400000 information. A unique event ID that is unique to Windows, right? 0:05:05.400000 --> 0:05:11.020000 And it's the same for all Windows systems, so that means, you know, event 0:05:11.020000 --> 0:05:17.640000 log 517 means an event log with the ID of 517 will mean the same thing 0:05:17.640000 --> 0:05:18.700000 across different systems. 0:05:18.700000 --> 0:05:25.280000 Of course, within a reasonable range in terms of date of release, which 0:05:25.280000 --> 0:05:26.440000 is very important. 0:05:26.440000 --> 0:05:27.820000 It also has a timestamp. 0:05:27.820000 --> 0:05:29.860000 You can't have a log without a timestamp. 0:05:29.860000 --> 0:05:34.540000 You need to know when the action was performed or when the action occurred. 0:05:34.540000 --> 0:05:41.300000 So a full timestamp, you know, day, you know, pretty much the date, the 0:05:41.300000 --> 0:05:45.880000 hour down to the second, right? 0:05:45.880000 --> 0:05:51.100000 And we'll explore this when it becomes relevant with the actual time zone, 0:05:51.100000 --> 0:05:56.000000 which, you know, is a very interesting thing when it comes down to, or 0:05:56.000000 --> 0:06:01.320000 when you get to correlation and sort of trying to, you know, there's various 0:06:01.320000 --> 0:06:05.120000 things to unpack there, but not to confuse you, that you then have the 0:06:05.120000 --> 0:06:08.780000 source. An example would be, you know, Microsoft Windows security auditing 0:06:08.780000 --> 0:06:13.140000 that tells you the source, right, where it's coming from. 0:06:13.140000 --> 0:06:16.140000 And we will actually break that down shortly. 0:06:16.140000 --> 0:06:21.180000 More importantly, you have a severity level, which actually in the case 0:06:21.180000 --> 0:06:27.380000 of Windows, you know, takes, makes this very easy for a SIEM system to, 0:06:27.380000 --> 0:06:33.200000 you know, make that, make that determination. 0:06:33.200000 --> 0:06:38.600000 In other words, Windows does a very good job to begin with of assigning 0:06:38.600000 --> 0:06:42.640000 or performing triage, you know, by setting a security level. 0:06:42.640000 --> 0:06:48.380000 In this case, the labels you typically see are information warning error 0:06:48.380000 --> 0:06:52.420000 critical. They're pretty much self explanatory information is what you'd 0:06:52.420000 --> 0:06:57.020000 call. And, you know, it's just a standard event, right, as I described 0:06:57.020000 --> 0:07:01.180000 it. So, you know, just normal activity. 0:07:01.180000 --> 0:07:05.340000 And then you have warning error and critical, which, as said, we will 0:07:05.340000 --> 0:07:11.120000 get to you then the Windows event log also contains, or I should say, 0:07:11.120000 --> 0:07:18.800000 obviously contains the event data associated with, you know, it pretty 0:07:18.800000 --> 0:07:24.680000 much contains information that led to the event being created. 0:07:24.680000 --> 0:07:26.980000 So, the action occurs on the system. 0:07:26.980000 --> 0:07:30.980000 Let's say file is modified, then it would create the data relevant to 0:07:30.980000 --> 0:07:35.900000 the actual action, right, that triggered the creation of the event log. 0:07:35.900000 --> 0:07:39.900000 So, in the case of a file being modified, it will contain information 0:07:39.900000 --> 0:07:44.700000 like a user account, the process, the file that was modified, the file 0:07:44.700000 --> 0:07:49.400000 path, when it was done, you know, in this case, there's also IP address, 0:07:49.400000 --> 0:07:55.020000 etc. But that really applies to different types of actions that triggered 0:07:55.020000 --> 0:07:57.780000 the creation of different types of event logs. 0:07:57.780000 --> 0:08:01.120000 In other words, to simplify what I said, Diego's, I know that probably 0:08:01.120000 --> 0:08:07.020000 confused you. The event data is going to be specific to the action that 0:08:07.020000 --> 0:08:09.740000 led to the creation of said event log. 0:08:09.740000 --> 0:08:19.000000 So, if the event log is, you know, one that is representative of a login, 0:08:19.000000 --> 0:08:24.880000 then it's going to contain information or the event data that is critical 0:08:24.880000 --> 0:08:27.640000 or relevant to that type of action or activity. 0:08:27.640000 --> 0:08:30.040000 I.e. logging in. 0:08:30.040000 --> 0:08:32.680000 You then have the event logging service. 0:08:32.680000 --> 0:08:35.380000 So, you have step one event generation. 0:08:35.380000 --> 0:08:36.860000 So, event log is generated. 0:08:36.860000 --> 0:08:39.240000 You then have the logging service, right? 0:08:39.240000 --> 0:08:44.620000 So, the Windows event log service, which is known as event log on Windows, 0:08:44.620000 --> 0:08:49.660000 captures these events, because remember, you don't just want the event 0:08:49.660000 --> 0:08:50.440000 to be generated. 0:08:50.440000 --> 0:08:52.840000 You need them to be stored in Windows. 0:08:52.840000 --> 0:08:58.960000 Again, stores these events quite well, at least in my opinion, right? 0:08:58.960000 --> 0:09:02.900000 So, the Windows event log service event log, as it's known, captures these 0:09:02.900000 --> 0:09:08.640000 events and writes them to structured log files stored in the, is very 0:09:08.640000 --> 0:09:13.240000 important, .evtx format of, you know, file extension. 0:09:13.240000 --> 0:09:20.480000 In the, the computer's system directory or system root. 0:09:20.480000 --> 0:09:25.020000 So, you know, you don't need necessarily need to have Windows installed 0:09:25.020000 --> 0:09:30.260000 on the C drive. But in the case of this path here, it's assuming that 0:09:30.260000 --> 0:09:32.960000 you have indeed installed Windows on the C drive. 0:09:32.960000 --> 0:09:36.720000 So, under the C drive, you have the Windows directory under that. 0:09:36.720000 --> 0:09:38.520000 You have system 32. 0:09:38.520000 --> 0:09:42.460000 The folder you're looking for is a win EVT. 0:09:42.460000 --> 0:09:45.400000 So, win event, just an abbreviation. 0:09:45.400000 --> 0:09:47.400000 And under that, you're going to have logs. 0:09:47.400000 --> 0:09:52.420000 And in there, you'll find different types of log files that have or stored 0:09:52.420000 --> 0:09:56.540000 using the .evtx format. 0:09:56.540000 --> 0:10:00.780000 You'll be able to easily identify them, you know, just through the, the 0:10:00.780000 --> 0:10:02.380000 actual extension, right? 0:10:02.380000 --> 0:10:05.680000 Fairly simple. You can actually try this out yourself on your own Windows 0:10:05.680000 --> 0:10:12.420000 system. And that's the event logging service. 0:10:12.420000 --> 0:10:17.940000 So, event is generated, is then logged or saved. 0:10:17.940000 --> 0:10:22.560000 And then you have the, you know, storage and retention. 0:10:22.560000 --> 0:10:28.380000 And this is sort of a further or an augmentation of the logings. 0:10:28.380000 --> 0:10:33.960000 It's an augmentation of the previous step. 0:10:33.960000 --> 0:10:37.900000 So, you know, once it's logged, which for all intents and purposes is, 0:10:37.900000 --> 0:10:40.740000 you know, infers that it's being saved. 0:10:40.740000 --> 0:10:44.780000 You then have the storage and retention aspect of it, which is very, very 0:10:44.780000 --> 0:10:49.640000 important. So, you know, each log type, whether it be system security 0:10:49.640000 --> 0:10:54.300000 system, application, etc, is stored in a separate .evtx file. 0:10:54.300000 --> 0:10:56.520000 So, this is very, very important. 0:10:56.520000 --> 0:11:03.220000 And this is where Microsoft or Windows, you know, introduces these categories 0:11:03.220000 --> 0:11:09.420000 to, you know, sort of organize or distinguish different types of event 0:11:09.420000 --> 0:11:10.220000 logs from the other event. 0:11:10.220000 --> 0:11:13.700000 And each other, because you don't want them to, you know, all be in a 0:11:13.700000 --> 0:11:18.320000 single file, in a single eVtx file called Windows event logs. 0:11:18.320000 --> 0:11:23.040000 This way you're able to, and the reason this is done is obviously for 0:11:23.040000 --> 0:11:30.660000 logic, logical distinction, but also it allows you the use of the computer 0:11:30.660000 --> 0:11:36.780000 or incident responder or analyst to easily navigate to the category of 0:11:36.780000 --> 0:11:40.220000 event logs that you want to analyze. 0:11:40.220000 --> 0:11:46.440000 So, if you know that you're looking for system event logs, you just need 0:11:46.440000 --> 0:11:52.620000 to navigate to that or just limit your analysis to that category. 0:11:52.620000 --> 0:11:56.560000 And you may be asking yourself, well, how do I view Windows event logs? 0:11:56.560000 --> 0:11:59.520000 Can I even view them on the system in which they're generated? 0:11:59.520000 --> 0:12:02.500000 Well, yes. Most of you are probably familiar with the tool. 0:12:02.500000 --> 0:12:05.420000 It's called the event viewer. 0:12:05.420000 --> 0:12:10.760000 Right. And the key point here is that these logs can be rotated archived 0:12:10.760000 --> 0:12:18.380000 or overwritten based on configured and custom configuration settings. 0:12:18.380000 --> 0:12:24.440000 This configuration allows for customers customization of size, size limits. 0:12:24.440000 --> 0:12:30.400000 So, you can say when the Windows event logs reach, you know, a particular 0:12:30.400000 --> 0:12:33.680000 storage or actually consume a particular quote of storage. 0:12:33.680000 --> 0:12:37.900000 That you configure, then they should be rotated. 0:12:37.900000 --> 0:12:42.120000 You can also configure them to be archived, deleted or overwritten. 0:12:42.120000 --> 0:12:45.820000 You can then utilize a retention policy to do this. 0:12:45.820000 --> 0:12:50.500000 And this is very, very important for you to understand, you know, really 0:12:50.500000 --> 0:12:55.240000 for any SOC analyst or if you're in the blue team to understand this, 0:12:55.240000 --> 0:12:59.760000 that, you know, it's something that you need to factor in when you're 0:12:59.760000 --> 0:13:04.880000 performing or when you're building out your security solutions and, you 0:13:04.880000 --> 0:13:08.920000 know, your security monitoring solutions like your Seaman, you're actually 0:13:08.920000 --> 0:13:10.860000 performing your log shipping. 0:13:10.860000 --> 0:13:16.660000 You need to make a decision as to, you know, how far back you want, you 0:13:16.660000 --> 0:13:21.560000 want systems to maintain their logs for. 0:13:21.560000 --> 0:13:27.680000 You then have the process of accessing the logs, right. 0:13:27.680000 --> 0:13:31.440000 And as I mentioned a few seconds ago, logs can be viewed and analyzed 0:13:31.440000 --> 0:13:37.980000 to a certain extent, of course, with the Windows event viewer GUI. 0:13:37.980000 --> 0:13:43.200000 And this is accessible using, you can just easily search for it on Windows 0:13:43.200000 --> 0:13:51.700000 using search or you can use the run applet to execute it directly. 0:13:51.700000 --> 0:13:54.500000 And you just type in event viewer.msc. 0:13:54.500000 --> 0:13:57.640000 And at the end of this video, I'll actually give you a practical demo 0:13:57.640000 --> 0:14:02.640000 of this. You can also utilize PowerShell commands. 0:14:02.640000 --> 0:14:08.920000 I should say commandlets like get win event, get event log, command line 0:14:08.920000 --> 0:14:16.940000 tools like web, Windows event, you know, then of course, seem solutions. 0:14:16.940000 --> 0:14:20.360000 This is something that comes later because you need to actually ship them 0:14:20.360000 --> 0:14:23.020000 and we'll get to shipping because that's really exciting. 0:14:23.020000 --> 0:14:24.600000 That's the good stuff. 0:14:24.600000 --> 0:14:29.360000 That's when you actually get your operating system to send over this critical 0:14:29.360000 --> 0:14:32.000000 information to your Seam. 0:14:32.000000 --> 0:14:39.260000 And hopefully in a secure format in, you know, in a readable or, let's 0:14:39.260000 --> 0:14:42.260000 say, analyzable format, but also securely, right. 0:14:42.260000 --> 0:14:45.160000 You don't want those logs to be intercepted. 0:14:45.160000 --> 0:14:47.640000 So very, very important there. 0:14:47.640000 --> 0:14:51.460000 And now that brings us to the types of Windows event logs. 0:14:51.460000 --> 0:14:55.280000 And here I'm referring to the categorization of them, right. 0:14:55.280000 --> 0:14:59.020000 We'll not go too deep into the specifics and, you know, Windows event 0:14:59.020000 --> 0:15:03.540000 IDs and what they mean for you as an incident responder because as I said, 0:15:03.540000 --> 0:15:08.280000 it's not really wouldn't make that much sense if we did that right now. 0:15:08.280000 --> 0:15:12.940000 And, you know, I am really not a fan of rote memorization. 0:15:12.940000 --> 0:15:18.340000 I found from my experience that I actually was able to easily remember, 0:15:18.340000 --> 0:15:22.300000 you know, specific Windows event IDs and, you know, correlate them to 0:15:22.300000 --> 0:15:27.560000 specific activity by actually, you know, when I was actually doing the 0:15:27.560000 --> 0:15:32.840000 analysis. And through time, you know, that, you know, for example, you 0:15:32.840000 --> 0:15:37.220000 know, this Windows event ID means that this was performed and so on and 0:15:37.220000 --> 0:15:41.040000 so forth. So the point is you don't need to know all of them. 0:15:41.040000 --> 0:15:45.260000 You just need to know, you know, the key ones or the ones that are, you 0:15:45.260000 --> 0:15:50.800000 know, likely indicators of something fishy going on. 0:15:50.800000 --> 0:15:52.840000 So types of Windows event logs. 0:15:52.840000 --> 0:15:55.580000 The first is, you know, security logs, right. 0:15:55.580000 --> 0:16:01.940000 If you use the Windows event viewer, which will go through shortly, I'll, 0:16:01.940000 --> 0:16:05.580000 you know, show you this in a virtual machine. 0:16:05.580000 --> 0:16:09.400000 You'll actually see that you have, they're categorized in or organized 0:16:09.400000 --> 0:16:11.400000 in folders. You have security logs, right. 0:16:11.400000 --> 0:16:16.120000 So these are related, these logs are related to system access, log in, 0:16:16.120000 --> 0:16:18.780000 log out activity or authentication activity. 0:16:18.780000 --> 0:16:19.620000 Very, very important. 0:16:19.620000 --> 0:16:24.000000 If you're, you can actually test this out, you know, when a Windows system 0:16:24.000000 --> 0:16:30.460000 is undergoing a brute force attack, that's the first place to look, right, 0:16:30.460000 --> 0:16:35.940000 for log in, log out activity or broadly speaking authentication related 0:16:35.940000 --> 0:16:39.060000 activity. Also, very important. 0:16:39.060000 --> 0:16:43.140000 A lot of people don't really, they always think account management act 0:16:43.140000 --> 0:16:48.620000 logs would be under the system logs category, but they're under security 0:16:48.620000 --> 0:16:51.660000 logs. So account management and privilege use. 0:16:51.660000 --> 0:16:57.100000 So privilege use is very important because this is where you find, this 0:16:57.100000 --> 0:17:03.280000 is where you find logs relating to activity of elevation of privileges, 0:17:03.280000 --> 0:17:05.700000 changes of a working privilege set. 0:17:05.700000 --> 0:17:07.100000 Don't worry what that means. 0:17:07.100000 --> 0:17:09.760000 If you're not familiar with that, we'll get to that. 0:17:09.760000 --> 0:17:11.360000 So very, very important. 0:17:11.360000 --> 0:17:15.060000 And then you have a, you know, it is controlled via audit policy. 0:17:15.060000 --> 0:17:19.260000 So again, on Windows, depending on whether, you know, you're working on 0:17:19.260000 --> 0:17:23.160000 a, you're using a Windows system that's just, you know, independent, it's 0:17:23.160000 --> 0:17:26.760000 not connected to an active directory domain or anything like this. 0:17:26.760000 --> 0:17:31.720000 Local policy group policy regardless of that within, you know, your local 0:17:31.720000 --> 0:17:35.980000 policy or the group policy in AD, you're going to have your audit account 0:17:35.980000 --> 0:17:37.460000 audit policies, right? 0:17:37.460000 --> 0:17:42.420000 And this, you can actually control that from there. 0:17:42.420000 --> 0:17:48.400000 So controlled by audit policies managed by the security auditing subsystem, 0:17:48.400000 --> 0:17:55.520000 right, in Windows or, you know, SAS security auditing subsystem. 0:17:55.520000 --> 0:17:59.820000 And then I've listed here some common event, some common event IDs like 0:17:59.820000 --> 0:18:04.860000 4624. That's a successful log on on most Windows systems. 0:18:04.860000 --> 0:18:09.000000 And I'm saying most because I'm not sure if there was a change from the 0:18:09.000000 --> 0:18:13.960000 earlier versions, like I'm talking, you know, XP and prior or older. 0:18:13.960000 --> 0:18:18.720000 But XP onwards, I believe these are have remained the same. 0:18:18.720000 --> 0:18:22.380000 So that means this is the really cool thing about Windows event logging 0:18:22.380000 --> 0:18:26.440000 is that I, you know, I'm currently on one Windows system right now. 0:18:26.440000 --> 0:18:31.560000 And if I go into a VM or onto my laptop, successful log on will always 0:18:31.560000 --> 0:18:38.160000 have the event ID of 4624 fail one 4625 4670. 0:18:38.160000 --> 0:18:41.600000 That means, you know, permissions on object changed. 0:18:41.600000 --> 0:18:46.600000 We'll get into what object means because Microsoft has their own language 0:18:46.600000 --> 0:18:52.180000 or parlance to describe various aspects or components of the operating 0:18:52.180000 --> 0:18:55.040000 system, a file system, so on and so forth. 0:18:55.040000 --> 0:19:00.100000 And then, you know, another example is 4688 process created. 0:19:00.100000 --> 0:19:02.360000 That may not be that important. 0:19:02.360000 --> 0:19:05.180000 What you're looking for specific processes, right? 0:19:05.180000 --> 0:19:13.020000 So that's where you typically see PowerShell is usually the type of the 0:19:13.020000 --> 0:19:17.360000 the PowerShell logs are usually the most important because again, a lot 0:19:17.360000 --> 0:19:23.640000 of malicious activity on Windows is facilitated through or via PowerShell. 0:19:23.640000 --> 0:19:27.020000 Not always. Of course, I'm generalizing here. 0:19:27.020000 --> 0:19:29.200000 You then have system logs, right? 0:19:29.200000 --> 0:19:32.780000 So the second folder and not sequentially second folder. 0:19:32.780000 --> 0:19:34.900000 This is your system logs. 0:19:34.900000 --> 0:19:40.860000 So these are events logged by Windows system components and drivers example, 0:19:40.860000 --> 0:19:42.780000 you know, kernel drivers services. 0:19:42.780000 --> 0:19:48.520000 So this is where you know, if you have an unexpected shutdown, that's, 0:19:48.520000 --> 0:19:50.020000 that's where you want to look. 0:19:50.020000 --> 0:19:55.300000 If you're monitoring Windows startup, that's where you want to look. 0:19:55.300000 --> 0:19:59.920000 So as it says, you're useful for troubleshooting hardware or operating 0:19:59.920000 --> 0:20:03.380000 system level issues. 0:20:03.380000 --> 0:20:06.760000 And, you know, the common event sources, you know, service control manager, 0:20:06.760000 --> 0:20:11.040000 NTFS, the kernel general, essentially the components of the Windows operating 0:20:11.040000 --> 0:20:15.700000 system that are relevant here or in this particular case. 0:20:15.700000 --> 0:20:21.720000 So as I said, the common event sources would be the S the service control 0:20:21.720000 --> 0:20:30.440000 manager, NTFS system, kernel general, there's a couple of others, so on 0:20:30.440000 --> 0:20:34.020000 and so forth. And then you have your application logs. 0:20:34.020000 --> 0:20:40.820000 So these are events written by user mode or user space applications, not 0:20:40.820000 --> 0:20:41.720000 really user mode. 0:20:41.720000 --> 0:20:44.980000 That's an outdated user space application. 0:20:44.980000 --> 0:20:49.660000 So think of any of the programs you have on your taskbar, any programs 0:20:49.660000 --> 0:20:54.400000 you've installed on your Windows system that operate in user, user space, 0:20:54.400000 --> 0:21:03.660000 right? You know, like your browser, like Microsoft Office one and so forth, 0:21:03.660000 --> 0:21:08.700000 right? So the application logs folder within event view, I'm using that 0:21:08.700000 --> 0:21:12.560000 so I can give you sort of a visual aid there. 0:21:12.560000 --> 0:21:17.320000 You know, that particular folder you typically find, you know, logs or 0:21:17.320000 --> 0:21:22.180000 events related to, you know, applications, programs, etc. 0:21:22.180000 --> 0:21:27.260000 So in here you may find event logs that contain error messages, failures, 0:21:27.260000 --> 0:21:31.140000 warnings or custom application logs or logging, right? 0:21:31.140000 --> 0:21:38.000000 An example sources here would be like Microsoft Exchange logs from the 0:21:38.000000 --> 0:21:44.420000 .NET runtime SQL server on, you know, a Windows server system. 0:21:44.420000 --> 0:21:45.540000 Very, very important SQL. 0:21:45.540000 --> 0:21:49.360000 So there's a reason I put that there because a lot of people forget about 0:21:49.360000 --> 0:21:52.280000 forget about the application logs. 0:21:52.280000 --> 0:21:58.420000 And that's kind of hilarious because applications are really the only 0:21:58.420000 --> 0:22:01.380000 reason many people use their computer. 0:22:01.380000 --> 0:22:05.420000 I mean, what's the point of Windows if you know, you can't install programs 0:22:05.420000 --> 0:22:11.100000 on it? So, you know, you need to sort of shift it from now looking at 0:22:11.100000 --> 0:22:15.100000 Windows from, you know, a single user perspective to let's say Windows 0:22:15.100000 --> 0:22:18.740000 server where it's actually being used to host different services. 0:22:18.740000 --> 0:22:22.660000 Regardless as to who the vendor is, you know, whether it's Microsoft Oracle 0:22:22.660000 --> 0:22:27.820000 Apache, you know, MySQL, etc. 0:22:27.820000 --> 0:22:31.960000 As long as that system is serving a purpose and is serving a purpose through 0:22:31.960000 --> 0:22:36.540000 applications, those applications need to be monitored. 0:22:36.540000 --> 0:22:39.580000 And the only way they can be monitored, not the only way, but the primary 0:22:39.580000 --> 0:22:43.040000 way they can be monitored is through their logs because their logs will 0:22:43.040000 --> 0:22:47.500000 tell you about how they're operating, whether there's been any errors, 0:22:47.500000 --> 0:22:52.780000 who's done what, you know, when it was done, so on and so forth. 0:22:52.780000 --> 0:22:56.100000 Then you have another type of Windows event log and that's your setup 0:22:56.100000 --> 0:23:01.380000 logs. And as the name suggests, these are your installation related logs. 0:23:01.380000 --> 0:23:05.220000 So this is where you find, you know, logs pertinent to Windows updates 0:23:05.220000 --> 0:23:07.180000 or systems setup components. 0:23:07.180000 --> 0:23:11.040000 Of course, you know, we've sort of spent a lot of time in this video going 0:23:11.040000 --> 0:23:13.920000 over them theoretically. 0:23:13.920000 --> 0:23:17.060000 Of course, a lot of detail and hopefully this has helped you understand 0:23:17.060000 --> 0:23:20.820000 the differences between the types of Windows event logs. 0:23:20.820000 --> 0:23:26.140000 But I probably in the next video will really will have a short demo of 0:23:26.140000 --> 0:23:31.280000 what this looks like on Windows so you can actually contextualize whatever 0:23:31.280000 --> 0:23:33.920000 we've covered here. 0:23:33.920000 --> 0:23:39.620000 And then last but not least, the one that a lot of people don't understand 0:23:39.620000 --> 0:23:44.500000 to begin with or when they're, you know, getting into Windows event logging 0:23:44.500000 --> 0:23:46.720000 is the four dead events. 0:23:46.720000 --> 0:23:48.720000 What on earth does this mean? 0:23:48.720000 --> 0:23:50.260000 What is all of this about? 0:23:50.260000 --> 0:23:56.400000 Well, this can be very hard to understand if, as I said, you're using, 0:23:56.400000 --> 0:24:00.340000 you only usage of Windows is restricted to your own computer that's not 0:24:00.340000 --> 0:24:02.480000 connected to another Windows event. 0:24:02.480000 --> 0:24:03.340000 So you can use a Windows computer or a Windows computer or a Windows computer 0:24:03.340000 --> 0:24:04.740000 or anything like that. 0:24:04.740000 --> 0:24:08.540000 But if you're in an office or an enterprise environment, this becomes 0:24:08.540000 --> 0:24:13.840000 relevant. So for events are sort of a centralized collection of events 0:24:13.840000 --> 0:24:15.720000 from remote Windows systems. 0:24:15.720000 --> 0:24:17.940000 So other Windows systems are. 0:24:17.940000 --> 0:24:22.460000 So you may be asking, well, why on earth would other Windows systems be 0:24:22.460000 --> 0:24:25.620000 sending their logs to me or to this computer? 0:24:25.620000 --> 0:24:28.740000 Well, we, this is not really important right now. 0:24:28.740000 --> 0:24:34.100000 There are many reasons for doing that, which as I said, will become apparent 0:24:34.100000 --> 0:24:38.380000 when we get to log shipping or that section of the course. 0:24:38.380000 --> 0:24:46.280000 In any case, this requires Windows event forwarding or WEF as it is abbreviated 0:24:46.280000 --> 0:24:50.180000 as and a configured subscription manager. 0:24:50.180000 --> 0:24:53.780000 Okay, I'll not dive too deep into for the events, right? 0:24:53.780000 --> 0:24:57.860000 Because again, it's not really the ideal starting point. 0:24:57.860000 --> 0:24:59.420000 Just think of it. 0:24:59.420000 --> 0:25:01.000000 You'll see the folder in event view. 0:25:01.000000 --> 0:25:04.080000 If you actually open up, if you open it up in your Windows system right 0:25:04.080000 --> 0:25:09.140000 now, you'll see that category or that folder for the events, right? 0:25:09.140000 --> 0:25:14.140000 And it's not really an ideal starting point to understand Windows event 0:25:14.140000 --> 0:25:18.740000 logging. Remember, I'm referring to the whole process here. 0:25:18.740000 --> 0:25:24.140000 All right, so as said last but not least, we also have additional logs, 0:25:24.140000 --> 0:25:28.200000 right? So these are by Microsoft or third party tools. 0:25:28.200000 --> 0:25:29.320000 This is very important. 0:25:29.320000 --> 0:25:34.500000 This isn't really a lot of the stuff we'll be exploring with regards to 0:25:34.500000 --> 0:25:38.760000 security monitoring and detection engineering have a lot to do with this. 0:25:38.760000 --> 0:25:41.720000 So firstly, you have Sysmon logs. 0:25:41.720000 --> 0:25:44.880000 So Sysmon don't need to introduce it right now. 0:25:44.880000 --> 0:25:47.140000 I will. So don't worry about that. 0:25:47.140000 --> 0:25:53.200000 Sysmon is a utility that allows you to augment or take a Windows event 0:25:53.200000 --> 0:25:55.980000 logging to the next level. 0:25:55.980000 --> 0:26:01.560000 Okay, so as the description here states, deep process network and driver 0:26:01.560000 --> 0:26:06.320000 monitoring, and this is facilitated by the Sys internal suite of tools. 0:26:06.320000 --> 0:26:10.620000 The tool in particular is Sysmon. 0:26:10.620000 --> 0:26:15.800000 In addition to that, you also have some extremely valuable event logs 0:26:15.800000 --> 0:26:19.820000 here, regardless as to whether you're looking at them from the perspective 0:26:19.820000 --> 0:26:25.820000 of a security monitoring, and those are the Windows Defender logs. 0:26:25.820000 --> 0:26:28.260000 Right, so you may have been asking yourself in the previous video when 0:26:28.260000 --> 0:26:30.700000 I introduced log sources. 0:26:30.700000 --> 0:26:34.820000 Where does my antivirus save its logs? 0:26:34.820000 --> 0:26:37.060000 Let's use Windows Defender as an example. 0:26:37.060000 --> 0:26:40.180000 Well, they're stored in the additional logs. 0:26:40.180000 --> 0:26:43.400000 That's not what it's called, but you'll find them in there. 0:26:43.400000 --> 0:26:45.180000 So Windows Defender logs. 0:26:45.180000 --> 0:26:50.520000 You also have your PowerShell operational logs and terminal services logs. 0:26:50.520000 --> 0:26:54.320000 You don't really need to understand the importance of terminal services 0:26:54.320000 --> 0:26:56.700000 logs right now, but you do. 0:26:56.700000 --> 0:27:02.180000 And as a result, we will give these logs their due respect by covering 0:27:02.180000 --> 0:27:07.000000 them in their own video as and when they become applicable, because if 0:27:07.000000 --> 0:27:11.020000 I give you, if I dump everything into one video and we try and cover Windows 0:27:11.020000 --> 0:27:16.440000 event logs and event log event IDs, you know, it'll end up confusing you. 0:27:16.440000 --> 0:27:19.920000 So let's take this one bit, one step at a time. 0:27:19.920000 --> 0:27:24.160000 To end this video, let's take a look at some of the use cases in Instant 0:27:24.160000 --> 0:27:28.300000 Response. Or what are the use cases if they're not obvious already off 0:27:28.300000 --> 0:27:33.100000 Windows event logging or Windows event logs in Instant Response? 0:27:33.100000 --> 0:27:38.100000 Well, obviously, based on the categories I have described, I have hitherto 0:27:38.100000 --> 0:27:40.600000 described, you have user behavior monitoring. 0:27:40.600000 --> 0:27:46.340000 So you can monitor login patterns, login authentication attempts as a 0:27:46.340000 --> 0:27:50.560000 result of that, you know, detect unauthorized access or brute force attacks, 0:27:50.560000 --> 0:27:52.200000 stuff like this. 0:27:52.200000 --> 0:27:54.060000 Process tracking or monitoring. 0:27:54.060000 --> 0:27:57.820000 So you can monitor suspicious one expected program execution unexpected. 0:27:57.820000 --> 0:28:05.320000 In this case, referring to heuristic or behavioral analysis or, you know, 0:28:05.320000 --> 0:28:10.280000 comparison to a predefined baseline of activity. 0:28:10.280000 --> 0:28:15.540000 So bottom line is if, you know, you've sort of got an idea of what is 0:28:15.540000 --> 0:28:20.020000 the typical, you know, what the typical programs are that are executed 0:28:20.020000 --> 0:28:21.360000 on a particular system. 0:28:21.360000 --> 0:28:25.780000 And all of a sudden one day someone is installing a very, you know, a 0:28:25.780000 --> 0:28:28.920000 piece of software, they're running a PowerShell script. 0:28:28.920000 --> 0:28:33.180000 That's something that needs investigation. 0:28:33.180000 --> 0:28:38.500000 You then you can also monitor for privilege abuse, you know, privilege 0:28:38.500000 --> 0:28:39.720000 abuse detection. 0:28:39.720000 --> 0:28:43.780000 So monitor admin group changes, token abuse, there's, you know, a lot 0:28:43.780000 --> 0:28:47.880000 in there that I'm not sort of expounding or expanding on right now. 0:28:47.880000 --> 0:28:49.080000 But it will become apparent. 0:28:49.080000 --> 0:28:53.300000 You also have the ability to trace lateral movement. 0:28:53.300000 --> 0:28:59.600000 So you can monitor remote access via the authentication mechanisms or 0:28:59.600000 --> 0:29:02.300000 protocols that you have exposed on the Windows system. 0:29:02.300000 --> 0:29:08.080000 So if you have RDP enabled, then you can monitor RDP authentication attempts, 0:29:08.080000 --> 0:29:11.260000 both successful and failed. 0:29:11.260000 --> 0:29:15.820000 Likewise, the same for the Windows remote management protocol win RM, 0:29:15.820000 --> 0:29:19.700000 very, very important, very, very common in enterprise environments for 0:29:19.700000 --> 0:29:20.440000 various reasons. 0:29:20.440000 --> 0:29:25.800000 And then of course you can also discover persistence mechanisms. 0:29:25.800000 --> 0:29:32.420000 For example, by monitoring the creation of and or execution of scheduled 0:29:32.420000 --> 0:29:37.640000 tasks, service installation service starts service stops. 0:29:37.640000 --> 0:29:44.100000 Very, very important because a lot of a lot of the malicious behavior 0:29:44.100000 --> 0:29:47.540000 and activities and binaries or executables. 0:29:47.540000 --> 0:29:56.160000 In some cases, you know, we'll rely on the service manager for execution. 0:29:56.160000 --> 0:30:00.200000 And of course, I'm just giving a very basic example there. 0:30:00.200000 --> 0:30:02.520000 But with that being said, that's going to be it for this video. 0:30:02.520000 --> 0:30:06.680000 I don't want to go through the demo right now because you know, this video 0:30:06.680000 --> 0:30:10.700000 is long enough. So we'll I will go. 0:30:10.700000 --> 0:30:15.200000 I'll give you a demo of, you know, Windows event logging in the next video. 0:30:15.200000 --> 0:30:18.640000 So with that being said, that's going to be it for this video and I will 0:30:18.640000 --> 0:30:20.500000 be seeing you in the next video.