WEBVTT 0:00:03.980000 --> 0:00:07.340000 Windows Event Logging, a practical demo. 0:00:07.340000 --> 0:00:14.540000 So building on the previous video where we took a theoretical look at 0:00:14.540000 --> 0:00:21.800000 Windows Event Logging, as a process, not focusing on specific types of 0:00:21.800000 --> 0:00:29.540000 Windows Event Logs or Windows Event IDs, we're now going to contextualize 0:00:29.540000 --> 0:00:34.040000 what we covered in that video by taking a look at the Windows Event Logging 0:00:34.040000 --> 0:00:37.120000 process as a whole practically. 0:00:37.120000 --> 0:00:41.220000 So I'm going to be using a Windows Virtual Machine to run through this 0:00:41.220000 --> 0:00:50.120000 demo. And the idea is again just to put a face to a name as it were and 0:00:50.120000 --> 0:00:53.760000 sort of tying together what we covered in the previous video in a more 0:00:53.760000 --> 0:00:54.660000 practical sense. 0:00:54.660000 --> 0:00:59.440000 So you can follow along if you want to on your own Windows system. 0:00:59.440000 --> 0:01:04.120000 Again, we're not going to do anything malicious here, but just understand 0:01:04.120000 --> 0:01:09.680000 how everything works, where everything is, and sort of show you how it 0:01:09.680000 --> 0:01:11.160000 works in real time. 0:01:11.160000 --> 0:01:15.980000 So I'm going to switch over to the Windows system and we can get started. 0:01:15.980000 --> 0:01:22.240000 All right, so I'm currently on my Windows Virtual Machine here. 0:01:22.240000 --> 0:01:30.040000 And first things first, as I mentioned in the previous video, to me, the 0:01:30.040000 --> 0:01:35.280000 most important, or the correct starting point is to give you an idea as 0:01:35.280000 --> 0:01:38.680000 to where the Windows Event Logs are stored. 0:01:38.680000 --> 0:01:43.580000 So if you remember in the slides in the previous video, I mentioned that 0:01:43.580000 --> 0:01:48.980000 you can find them typically under Windows, so your system root as it were. 0:01:48.980000 --> 0:01:51.320000 Let me just correct that, your system root. 0:01:51.320000 --> 0:01:56.400000 So the root of your C drive or the driveway you've installed Windows on 0:01:56.400000 --> 0:02:00.260000 that drive, you're going to have a Windows folder under this folder. 0:02:00.260000 --> 0:02:05.740000 You want to look for the infamous system 32 folder like so. 0:02:05.740000 --> 0:02:11.100000 And in here, you're looking for another folder called Win EVT or Windows 0:02:11.100000 --> 0:02:15.680000 Event. As it were, it's of course in abbreviated format. 0:02:15.680000 --> 0:02:18.400000 So we can actually scroll to the bottom here. 0:02:18.400000 --> 0:02:20.340000 There we are. There it is. 0:02:20.340000 --> 0:02:24.320000 And in here, you're going to have your logs folder. 0:02:24.320000 --> 0:02:26.640000 So that's where the Windows Event Logs are stored. 0:02:26.640000 --> 0:02:29.640000 And I want you to pay very close attention. 0:02:29.640000 --> 0:02:35.260000 What I'll do here is I'll go into the options and let me go into view 0:02:35.260000 --> 0:02:38.960000 and I'm going to show the extensions. 0:02:38.960000 --> 0:02:41.520000 We want to disable hide extensions. 0:02:41.520000 --> 0:02:43.920000 There we also, you can actually see it for yourself. 0:02:43.920000 --> 0:02:45.580000 You can see it right here. 0:02:45.580000 --> 0:02:52.520000 Evtx. Okay. And what this means, really, you can see that it has an application 0:02:52.520000 --> 0:02:56.320000 thumbnail and that application is the Windows Event View, which means 0:02:56.320000 --> 0:03:02.060000 you can directly open up the, you know, pretty much any and all of these 0:03:02.060000 --> 0:03:06.740000 Windows Event Log files with using the Windows Event View, which means, 0:03:06.740000 --> 0:03:10.260000 and this is very important because a lot of people don't realize this 0:03:10.260000 --> 0:03:12.880000 or don't understand the implication of this. 0:03:12.880000 --> 0:03:20.180000 Is I can copy over the, you know, all or a specific Windows Event Log 0:03:20.180000 --> 0:03:22.500000 file here or Evtx file. 0:03:22.500000 --> 0:03:26.060000 I can copy it from this system onto another Windows system and then use 0:03:26.060000 --> 0:03:30.020000 the Windows Event View on that system to view the Windows Event Logs of 0:03:30.020000 --> 0:03:35.400000 this system. And that's really cool, at least in my opinion, right? 0:03:35.400000 --> 0:03:39.640000 So now that we've sort of, you know, brought it up, the Windows Event 0:03:39.640000 --> 0:03:44.660000 View, as I said, you can search for it by typing an event and it'll bring 0:03:44.660000 --> 0:03:46.180000 it up. There it is. 0:03:46.180000 --> 0:03:55.100000 Or alternatively, you can use the run applet here and just type in, in 0:03:55.100000 --> 0:04:05.440000 this particular case, you know, you can just say event viewer.msc, like 0:04:05.440000 --> 0:04:07.700000 so, and it'll bring it up just the same. 0:04:07.700000 --> 0:04:11.400000 Of course, you don't need to go through that convoluted process like I 0:04:11.400000 --> 0:04:14.880000 did. There we are, took a few seconds and I'm just going to expand it 0:04:14.880000 --> 0:04:18.080000 and this is your Windows Event Viewer. 0:04:18.080000 --> 0:04:22.380000 Okay, so we'll give it a few seconds to load the, you know, date and logs, 0:04:22.380000 --> 0:04:33.900000 etc. And I want to go over the types of logs or categories as I described 0:04:33.900000 --> 0:04:37.600000 them, which are found on the sidebar here. 0:04:37.600000 --> 0:04:40.920000 Okay, so you have your custom views, right? 0:04:40.920000 --> 0:04:43.460000 So not really important, but under Windows Logs, you're going to have 0:04:43.460000 --> 0:04:45.400000 the categories here as I mentioned. 0:04:45.400000 --> 0:04:52.820000 So you have your application logs, you have your security logs, and you 0:04:52.820000 --> 0:04:52.820000 have your security logs. 0:04:52.820000 --> 0:04:57.200000 And setup logs, system and forded events, which you're not going to find 0:04:57.200000 --> 0:05:00.620000 anything here because no other Windows system is fording the event logs 0:05:00.620000 --> 0:05:05.420000 to this system. So self-explanatory, very, very simple, very easy. 0:05:05.420000 --> 0:05:10.660000 So application logs, you know, pretty much all application related logs. 0:05:10.660000 --> 0:05:13.620000 And you can see the level in this summary table. 0:05:13.620000 --> 0:05:18.400000 You have the columns level, date and time or the timestamp, the source. 0:05:18.400000 --> 0:05:23.040000 So what originated this log and then the event ID, the infamous event 0:05:23.040000 --> 0:05:27.940000 ID, you can also right click on the column on any of the columns here 0:05:27.940000 --> 0:05:33.660000 and you can modify, you know, the columns that are visible. 0:05:33.660000 --> 0:05:38.560000 So you can include the process ID, the thread ID. 0:05:38.560000 --> 0:05:44.280000 Some important ones here would be the event source name, the correlation 0:05:44.280000 --> 0:05:46.540000 ID, so on and so forth. 0:05:46.540000 --> 0:05:51.320000 So if I add, let's say, the process ID that's going to be added in here, 0:05:51.320000 --> 0:05:57.640000 I can also add, let's see, we can add that log in here. 0:05:57.640000 --> 0:06:01.860000 So you can see that just confirms to you what we already know, which is 0:06:01.860000 --> 0:06:05.420000 that this isn't, you know, these are application logs. 0:06:05.420000 --> 0:06:09.520000 The thread ID, which actually might be a little bit more relevant in this 0:06:09.520000 --> 0:06:15.160000 case, and you can obviously refresh by hitting F5 to get the latest and 0:06:15.160000 --> 0:06:18.180000 they're sorted by, you know, newest first. 0:06:18.180000 --> 0:06:22.240000 So, you know, you can actually go to some of the oldest here and, you 0:06:22.240000 --> 0:06:26.640000 know, scroll all the way back to the top and then go to the most recent 0:06:26.640000 --> 0:06:28.020000 ones in the level. 0:06:28.020000 --> 0:06:32.640000 You know, this is the severity level labels that I was referring to. 0:06:32.640000 --> 0:06:41.100000 Now, one key thing that you need to keep in mind is the actions tab on 0:06:41.100000 --> 0:06:47.900000 the right here. Here you have the first pane here that is separated by 0:06:47.900000 --> 0:06:53.000000 this blue label refers to the type of logs. 0:06:53.000000 --> 0:06:56.760000 So in this case, application logs, so you can open save log, create a 0:06:56.760000 --> 0:06:59.920000 custom view, clear the log, very, very dangerous properties. 0:06:59.920000 --> 0:07:04.060000 You can save all events in a particular format. 0:07:04.060000 --> 0:07:07.840000 You can also play around with the view options here and then, of course, 0:07:07.840000 --> 0:07:12.880000 refresh them like so if you don't want to use as F5, sorry. 0:07:12.880000 --> 0:07:17.120000 And then when you select a particular event log, you can actually, you 0:07:17.120000 --> 0:07:21.920000 know, interact a little bit more with it by, you know, taking a look at 0:07:21.920000 --> 0:07:25.380000 the second pane below the primary one under actions. 0:07:25.380000 --> 0:07:29.540000 So event properties that will, you know, open up the properties associated 0:07:29.540000 --> 0:07:32.920000 with the event log that you have selected here. 0:07:32.920000 --> 0:07:37.680000 So if I open that up, you can see event properties for the event, you 0:07:37.680000 --> 0:07:39.560000 know, which are, which is actually numbered. 0:07:39.560000 --> 0:07:40.680000 This is the number. 0:07:40.680000 --> 0:07:45.040000 So you can see offline, down level migration succeeded. 0:07:45.040000 --> 0:07:46.660000 The log name is application. 0:07:46.660000 --> 0:07:49.620000 The source is security SPP event ID. 0:07:49.620000 --> 0:07:56.860000 The level is information user opcode computer keywords task category when 0:07:56.860000 --> 0:07:58.000000 it was last log. 0:07:58.000000 --> 0:08:01.600000 And then you have the details, which is a bit more specific. 0:08:01.600000 --> 0:08:03.980000 This is an XML format. 0:08:03.980000 --> 0:08:06.840000 So you can expand that here. 0:08:06.840000 --> 0:08:09.900000 And now you have, you know, the raw information. 0:08:09.900000 --> 0:08:13.480000 You can also switch to the XML view here. 0:08:13.480000 --> 0:08:17.660000 This is the, you know, the format that the logs are ingested into a security 0:08:17.660000 --> 0:08:20.620000 monitoring solution like a, like a C. 0:08:20.620000 --> 0:08:27.500000 That's why it's not really so much this format being sent to the scene, 0:08:27.500000 --> 0:08:33.620000 but how your scene processes this and how it, you know, pretty much uses 0:08:33.620000 --> 0:08:39.780000 the data in here, you know, to essentially arrive at conclusions as to 0:08:39.780000 --> 0:08:44.020000 whether it's, you know, just a standard event or an alert, etc. 0:08:44.020000 --> 0:08:46.000000 Of course, that's a very basic example. 0:08:46.000000 --> 0:08:50.580000 In any case, so you have your application logs here. 0:08:50.580000 --> 0:08:54.380000 You have your security logs, which, as I mentioned, you know, tracks, 0:08:54.380000 --> 0:08:57.100000 authentication, so on and so forth. 0:08:57.100000 --> 0:09:02.500000 And if you remember, four, six, two, four means, you know, that's a log 0:09:02.500000 --> 0:09:06.100000 on event. And you can see we have one here and that I think was me logging 0:09:06.100000 --> 0:09:08.680000 in. Let's click on it and let's learn more. 0:09:08.680000 --> 0:09:14.000000 Okay, so here, you know, there's a lot more information. 0:09:14.000000 --> 0:09:16.780000 And this is what I was pointing out in the previous video and I mentioned 0:09:16.780000 --> 0:09:25.960000 the data associated or attached to an event log is specific to the action 0:09:25.960000 --> 0:09:29.080000 that triggered the creation of the event. 0:09:29.080000 --> 0:09:36.480000 So because this is, you know, a log in a log on event, as it were, it's 0:09:36.480000 --> 0:09:40.280000 going to have information that's relevant to, you know, logging in. 0:09:40.280000 --> 0:09:44.680000 So all the information that you think is important or relevant to an authentication 0:09:44.680000 --> 0:09:49.900000 attempt or a log on would be contained in here, like the subject. 0:09:49.900000 --> 0:09:55.500000 So the security ID, the account name, account domain, the log on ID. 0:09:55.500000 --> 0:09:59.160000 This in hex here, log on information. 0:09:59.160000 --> 0:10:03.800000 So the log on type restricted admin mode, all that good stuff. 0:10:03.800000 --> 0:10:07.780000 The impersonation level is just impersonation here. 0:10:07.780000 --> 0:10:11.060000 And you can see the process name. 0:10:11.060000 --> 0:10:12.900000 This was services.exe. 0:10:12.900000 --> 0:10:18.020000 So what this tells me is this wasn't me. 0:10:18.020000 --> 0:10:23.540000 I logged on, you know, as you would on a Windows system, you know, physically, 0:10:23.540000 --> 0:10:25.160000 which means we're looking for. 0:10:25.160000 --> 0:10:32.880000 A log on that was instantiated or initiated by the wind log on process 0:10:32.880000 --> 0:10:38.600000 that handles, you know, physical or standard log ons onto a Windows system. 0:10:38.600000 --> 0:10:44.540000 So if I look for 4624 here and that's those services. 0:10:44.540000 --> 0:10:47.700000 Okay. 4624 here. 0:10:47.700000 --> 0:10:51.260000 I can't remember when I logged in, which might make this a little bit 0:10:51.260000 --> 0:10:53.520000 simpler for me to demonstrate. 0:10:53.520000 --> 0:10:57.480000 But this way you can start to use filters, right? 0:10:57.480000 --> 0:11:00.920000 And let's see. No, that's 4627. 0:11:00.920000 --> 0:11:06.700000 That's not me. All right. 0:11:06.700000 --> 0:11:11.460000 Let's look for this here. 0:11:11.460000 --> 0:11:15.760000 Hmm. Why did I actually log in? 0:11:15.760000 --> 0:11:17.520000 It's very strange. 0:11:17.520000 --> 0:11:20.440000 I'm pretty sure I did. 0:11:20.440000 --> 0:11:23.000000 Use account management. 0:11:23.000000 --> 0:11:25.960000 Log on. Interesting. 0:11:25.960000 --> 0:11:28.760000 Let me find it. Okay. 0:11:28.760000 --> 0:11:37.180000 I managed to actually use a filter here and the filter I had used or created 0:11:37.180000 --> 0:11:45.620000 was just 4624. So the event ID and keywords were audit success, which 0:11:45.620000 --> 0:11:46.480000 is what I wanted. 0:11:46.480000 --> 0:11:50.400000 And over here, I found it when I just logged onto the system, wind log 0:11:50.400000 --> 0:11:52.560000 on. There we are. 0:11:52.560000 --> 0:11:54.480000 So that was me logging in. 0:11:54.480000 --> 0:11:57.540000 And again, don't worry if this confuses you a little bit. 0:11:57.540000 --> 0:12:03.660000 You know, the actual process name associated, which in this case, you 0:12:03.660000 --> 0:12:09.040000 know, a log on. It's not really important, but this way I can distinguish, 0:12:09.040000 --> 0:12:15.140000 you know, a legitimate user logging in from, let's say, I'm not saying 0:12:15.140000 --> 0:12:16.560000 that a user can log in. 0:12:16.560000 --> 0:12:20.660000 Remotely, but a remote log on, so on and so forth, right? 0:12:20.660000 --> 0:12:27.740000 As well as a log on audit success, you know, related to impersonation 0:12:27.740000 --> 0:12:30.400000 of privileges or so on and so forth. 0:12:30.400000 --> 0:12:32.420000 So that's one example, right? 0:12:32.420000 --> 0:12:37.980000 Now, the log on type, which is something I just wanted to point out really 0:12:37.980000 --> 0:12:44.260000 quickly. Over here, you can see that the log on type is two. 0:12:44.260000 --> 0:12:45.940000 That's another way of identifying it. 0:12:45.940000 --> 0:12:48.800000 So if it's two on Windows, that means it's interactive. 0:12:48.800000 --> 0:12:53.220000 Interactive means when you log onto your laptop or computer and you type 0:12:53.220000 --> 0:12:56.740000 in your password or your pin or the login screen, that's an interactive 0:12:56.740000 --> 0:12:59.260000 log on. Now, this was 10. 0:12:59.260000 --> 0:13:01.920000 That would be RDP. 0:13:01.920000 --> 0:13:04.960000 And you'd obviously have additional information in the case of an RDP 0:13:04.960000 --> 0:13:07.360000 log on like the source IP. 0:13:07.360000 --> 0:13:11.140000 You know, and you can take a look at the log on process, etc. 0:13:11.140000 --> 0:13:18.200000 Now, fail logons can actually be the event IDs 4625. 0:13:18.200000 --> 0:13:22.260000 And I know I told you we're not going to look into these right now, but 0:13:22.260000 --> 0:13:23.940000 you can see there are none. 0:13:23.940000 --> 0:13:28.140000 And of course, let me just, you know, we want to get rid of this. 0:13:28.140000 --> 0:13:31.560000 We can actually look for audit failure there. 0:13:31.560000 --> 0:13:33.820000 There we are. It looks like there's just one. 0:13:33.820000 --> 0:13:36.360000 Okay. Log on type two here. 0:13:36.360000 --> 0:13:39.280000 Oh, looks like, you know, this is SVC host. 0:13:39.280000 --> 0:13:43.260000 Interesting. Very interesting here. 0:13:43.260000 --> 0:13:47.660000 This was done. Oh, this is when I initially installed or set up this VM. 0:13:47.660000 --> 0:13:49.880000 In any case, that's how you can look for. 0:13:49.880000 --> 0:13:56.820000 Or failed. A failed log on attempt, right? 0:13:56.820000 --> 0:14:02.540000 And if we can actually try this out, I believe, let me lock it right. 0:14:02.540000 --> 0:14:06.060000 And let me just put in an incorrect pin here. 0:14:06.060000 --> 0:14:08.100000 Okay. Let's do it one more time. 0:14:08.100000 --> 0:14:11.360000 Actually, no, but I don't want to get locked out right now. 0:14:11.360000 --> 0:14:14.940000 Let me refresh. There we are. 0:14:14.940000 --> 0:14:16.440000 We can see it here now. 0:14:16.440000 --> 0:14:21.700000 And you can actually see the account name in this case. 0:14:21.700000 --> 0:14:23.260000 And service host. 0:14:23.260000 --> 0:14:25.580000 There we are. So failed log on there. 0:14:25.580000 --> 0:14:28.720000 And you can see the log on type is still two, which means it's an interactive 0:14:28.720000 --> 0:14:32.080000 log on. So that's one example. 0:14:32.080000 --> 0:14:40.100000 And then, of course, you know, we can go into, let's see. 0:14:40.100000 --> 0:14:45.400000 We have any, no, we don't have any filter, but let's say I open up. 0:14:45.400000 --> 0:14:49.220000 Okay. So open up notepad. 0:14:49.220000 --> 0:14:52.480000 So we're executing a process, right? 0:14:52.480000 --> 0:14:54.400000 So nothing in here. 0:14:54.400000 --> 0:14:57.160000 Okay. So we go to system. 0:14:57.160000 --> 0:14:59.760000 Nothing in here. 0:14:59.760000 --> 0:15:04.340000 Let's see if we go application. 0:15:04.340000 --> 0:15:09.280000 Nothing in here. 0:15:09.280000 --> 0:15:11.000000 App model state. 0:15:11.000000 --> 0:15:14.260000 Let us try PowerShell. 0:15:14.260000 --> 0:15:19.660000 Let's just run it normally, like so. 0:15:19.660000 --> 0:15:26.320000 Okay. And the only reason I'm doing this is to just give you an idea. 0:15:26.320000 --> 0:15:31.580000 If we take a look at system here, let us refresh that. 0:15:31.580000 --> 0:15:36.400000 Okay. That is we go to setup here. 0:15:36.400000 --> 0:15:40.960000 Looks like there's some stuff that's being corrupted. 0:15:40.960000 --> 0:15:44.080000 Let me just clear this out in here. 0:15:44.080000 --> 0:15:52.400000 Okay. Let's go back to application. 0:15:52.400000 --> 0:15:58.380000 Let's see if I let me run this as administrator. 0:15:58.380000 --> 0:16:02.340000 Okay. Let's refresh that. 0:16:02.340000 --> 0:16:06.280000 That should show up under security, most likely. 0:16:06.280000 --> 0:16:10.040000 Let's see. Yeah. 0:16:10.040000 --> 0:16:13.840000 We can see there's an elevation of privilege or the privilege set. 0:16:13.840000 --> 0:16:19.780000 And if we take a look at the details here, doesn't really give us the 0:16:19.780000 --> 0:16:23.020000 actual process associated there. 0:16:23.020000 --> 0:16:24.980000 Let's take a look at this. 0:16:24.980000 --> 0:16:28.560000 Yeah. So services, but if we go to application, that's weird that that 0:16:28.560000 --> 0:16:30.820000 isn't showing up here. 0:16:30.820000 --> 0:16:34.100000 That should be showing up. 0:16:34.100000 --> 0:16:36.240000 Let me wait for this. 0:16:36.240000 --> 0:16:42.260000 Oh, yes. I forgot to mention the application and services log, which is 0:16:42.260000 --> 0:16:47.800000 where you can find a Windows PowerShell related event logs, which is what 0:16:47.800000 --> 0:16:50.500000 I was interested in showing you here. 0:16:50.500000 --> 0:16:54.920000 We take a look at this one right over here. 0:16:54.920000 --> 0:16:59.700000 Yeah. So that's execution there. 0:16:59.700000 --> 0:17:03.640000 Application and services log Microsoft system. 0:17:03.640000 --> 0:17:05.260000 You have that in there. 0:17:05.260000 --> 0:17:06.880000 You then have Windows. 0:17:06.880000 --> 0:17:13.020000 So all specific to Windows components right over here. 0:17:13.020000 --> 0:17:19.020000 And we can actually check system in this. 0:17:19.020000 --> 0:17:23.260000 Yeah. So you can actually go through them all like so. 0:17:23.260000 --> 0:17:28.000000 And then of course, Windows in here and so forth. 0:17:28.000000 --> 0:17:43.320000 In any case, we should be able to find, let's see, 46884 process creation. 0:17:43.320000 --> 0:17:46.820000 That's very strange that it hasn't shown up here. 0:17:46.820000 --> 0:17:53.040000 It should be under the security. 0:17:53.040000 --> 0:17:55.100000 Let's filter this. 0:17:55.100000 --> 0:17:58.720000 Let's try it. So 46884. 0:17:58.720000 --> 0:17:59.620000 Oh, there we are. 0:17:59.620000 --> 0:18:01.700000 Very nice. Don't think I saw it. 0:18:01.700000 --> 0:18:06.360000 So no, I don't think that's the one. 0:18:06.360000 --> 0:18:10.340000 Let's see. We opened up notepad and so win in it. 0:18:10.340000 --> 0:18:14.080000 That's fine. And PowerShell. 0:18:14.080000 --> 0:18:18.120000 Okay. Let's see. 0:18:18.120000 --> 0:18:23.380000 Let us. So that's process creation. 0:18:23.380000 --> 0:18:29.740000 Let's see if we can let the process ID, event source name. 0:18:29.740000 --> 0:18:33.860000 We move this a little bit in here. 0:18:33.860000 --> 0:18:36.520000 Okay. Nothing interesting there. 0:18:36.520000 --> 0:18:44.880000 468. Okay. We executed PowerShell and. 0:18:44.880000 --> 0:18:53.840000 Notepad. Let me just open up notepad again. 0:18:53.840000 --> 0:18:56.640000 So open it up here again. 0:18:56.640000 --> 0:19:02.200000 Okay. Refresh. Win in it. 0:19:02.200000 --> 0:19:06.120000 Yeah, that's the process name, but it should. 0:19:06.120000 --> 0:19:16.620000 Event data. New process name. 0:19:16.620000 --> 0:19:23.740000 Yes, one second. 0:19:23.740000 --> 0:19:30.840000 So I just realized that this is one of the things that needs to be customized. 0:19:30.840000 --> 0:19:37.160000 So in order for me to track, you know, creation. 0:19:37.160000 --> 0:19:42.120000 In order for me to enable, you know, logging of process creation, I need 0:19:42.120000 --> 0:19:48.280000 to modify the local security policy or enable process creation auditing 0:19:48.280000 --> 0:19:51.420000 within the local security policy on the system. 0:19:51.420000 --> 0:19:54.540000 So I can just use sec, poll.msc. 0:19:54.540000 --> 0:19:58.480000 And this is a very, actually, I'm glad that this came up because this 0:19:58.480000 --> 0:20:01.200000 is one of those things that's very important in detection engineering 0:20:01.200000 --> 0:20:05.260000 because if you're, you know, you can imagine if I would have just forwarded 0:20:05.260000 --> 0:20:10.000000 or shipped the logs from this system without performing this customization. 0:20:10.000000 --> 0:20:16.440000 So if I go into, I believe it's under advanced audit policy configuration 0:20:16.440000 --> 0:20:19.860000 system audit policy, detailed tracking. 0:20:19.860000 --> 0:20:24.600000 Detail tracking audit. 0:20:24.600000 --> 0:20:26.640000 There we are not configured. 0:20:26.640000 --> 0:20:29.960000 You can see we need to. 0:20:29.960000 --> 0:20:32.860000 Enable both termination, do it for both. 0:20:32.860000 --> 0:20:36.900000 So now I can see creation and, you know, termination of processes. 0:20:36.900000 --> 0:20:39.260000 So let me close that up. 0:20:39.260000 --> 0:20:44.100000 Let me go ahead, get rid of this and we'll execute a few programs here 0:20:44.100000 --> 0:20:46.880000 like this calculator. 0:20:46.880000 --> 0:20:50.480000 It's something that I believe was enabled previously. 0:20:50.480000 --> 0:20:54.440000 That's very strange that you now need to enforce that manually in the 0:20:54.440000 --> 0:20:56.160000 form of the local policy. 0:20:56.160000 --> 0:20:59.200000 But again, still very important to demonstrate. 0:20:59.200000 --> 0:21:01.260000 So we'll look for 468. 0:21:01.260000 --> 0:21:04.960000 There we are. You can now see it. 0:21:04.960000 --> 0:21:09.040000 So what we want to pay attention to is the new process name. 0:21:09.040000 --> 0:21:12.000000 Let's see. Wait a minute. 0:21:12.000000 --> 0:21:16.420000 Wait a minute. That's explorer windows notepad. 0:21:16.420000 --> 0:21:18.260000 There we are process name. 0:21:18.260000 --> 0:21:21.360000 Calculator app. And you can see that there. 0:21:21.360000 --> 0:21:27.080000 So that's 468 and 9. 0:21:27.080000 --> 0:21:27.600000 So, let's see what we can do with this. 0:21:27.600000 --> 0:21:30.180000 There we are. We have the new process name here. 0:21:30.180000 --> 0:21:31.660000 Calculator app, etc. 0:21:31.660000 --> 0:21:35.820000 Let's open one that's not a windows app, a native windows app. 0:21:35.820000 --> 0:21:39.440000 That is the crazy thing is I don't think I installed any. 0:21:39.440000 --> 0:21:41.680000 These are all the standard that would come up. 0:21:41.680000 --> 0:21:42.920000 We have 7 zip here. 0:21:42.920000 --> 0:21:44.760000 Beautiful. Okay. 0:21:44.760000 --> 0:21:48.160000 So now let me refresh this. 0:21:48.160000 --> 0:21:50.140000 There we are. So, process name. 0:21:50.140000 --> 0:21:51.000000 You can see that here. 0:21:51.000000 --> 0:21:55.560000 And this is very important because you need to know what people are doing. 0:21:55.560000 --> 0:21:59.580000 You know, you can just be monitoring. 0:21:59.580000 --> 0:22:05.880000 You can not be monitoring process creation and termination really process 0:22:05.880000 --> 0:22:08.480000 creation. I shouldn't have enabled. 0:22:08.480000 --> 0:22:11.700000 Termination is not really important, but it could be. 0:22:11.700000 --> 0:22:14.380000 So we check that now here. 0:22:14.380000 --> 0:22:17.020000 Windows terminal. 0:22:17.020000 --> 0:22:20.100000 Let's see. Wait a minute. 0:22:20.100000 --> 0:22:25.800000 Oh, yes. Partial forgot that terminal is different. 0:22:25.800000 --> 0:22:30.140000 So let's open that up native, which I believe I did. 0:22:30.140000 --> 0:22:32.480000 Sorry, that's my bad. 0:22:32.480000 --> 0:22:33.940000 Let's go ahead and. 0:22:33.940000 --> 0:22:41.180000 One second. Let me go back to the top here. 0:22:41.180000 --> 0:22:50.480000 You just do one note of messed up my filters here. 0:22:50.480000 --> 0:22:53.180000 Okay. No, that should have done it now. 0:22:53.180000 --> 0:22:54.180000 Okay. There we are. 0:22:54.180000 --> 0:22:58.880000 Very nice. So Windows terminal and then PowerShell right over here. 0:22:58.880000 --> 0:23:00.360000 So you have the process name. 0:23:00.360000 --> 0:23:02.660000 That's the termination 468. 0:23:02.660000 --> 0:23:08.380000 468. 468. 468. 8. 0:23:08.380000 --> 0:23:10.400000 There we are. PowerShell. 0:23:10.400000 --> 0:23:11.340000 You can see it there. 0:23:11.340000 --> 0:23:17.340000 So hopefully this gives you an idea on understanding of. 0:23:17.340000 --> 0:23:22.400000 Windows event logging process as a whole, you know, where they're stored. 0:23:22.400000 --> 0:23:24.560000 How to use the event viewer. 0:23:24.560000 --> 0:23:29.360000 And of course, the types of Windows logs here and a little bit of filtering. 0:23:29.360000 --> 0:23:33.820000 And we obviously, you know, got a very good example of why you need to 0:23:33.820000 --> 0:23:39.340000 ensure that. You know, you specify what you want your Windows system to 0:23:39.340000 --> 0:23:43.240000 be logging in, you know, from the perspective of event logs. 0:23:43.240000 --> 0:23:48.680000 In this particular case, you know, my system, I hadn't configured that 0:23:48.680000 --> 0:23:50.580000 within the local policy. 0:23:50.580000 --> 0:23:54.660000 I hadn't configured a detailed tracking of, you know, things like process 0:23:54.660000 --> 0:23:56.780000 creation, which is very important. 0:23:56.780000 --> 0:24:02.120000 You know, you can see why I need to know or you need to know when stuff 0:24:02.120000 --> 0:24:03.880000 like this is being executed. 0:24:03.880000 --> 0:24:07.300000 In any case, that brings us to the end of the practical demonstration 0:24:07.300000 --> 0:24:09.640000 section of this video. 0:24:09.640000 --> 0:24:15.920000 All right. So that was a practical demonstration of Windows event logging. 0:24:15.920000 --> 0:24:18.400000 And hopefully you found that useful. 0:24:18.400000 --> 0:24:21.900000 And that being said, that's going to be it for this video. 0:24:21.900000 --> 0:24:24.200000 And I will be seeing you in the next video.