WEBVTT 0:00:03.540000 --> 0:00:08.700000 High-value Windows Event IDs that every responder should know. 0:00:08.700000 --> 0:00:16.200000 So now that we've explored log analysis in multiple facets and we've taken 0:00:16.200000 --> 0:00:22.620000 a look at a scene-based log analysis, we've taken a look at how to analyze 0:00:22.620000 --> 0:00:29.940000 logs on Linux or using Linux utilities and we've taken a look at the Windows 0:00:29.940000 --> 0:00:36.300000 login, Windows login in quite a bit of detail as well as Sysmone in the 0:00:36.300000 --> 0:00:40.900000 previous video. We're going to turn our attention to something that's 0:00:40.900000 --> 0:00:45.820000 very important before we actually begin the core of what I wanted to cover 0:00:45.820000 --> 0:00:50.940000 with regard to Windows log analysis where we'll be exploring the full 0:00:50.940000 --> 0:00:57.760000 process or life cycle from collection to passing all the way to analyzing 0:00:57.760000 --> 0:01:04.420000 and then timeline, building a timeline. 0:01:04.420000 --> 0:01:09.040000 So as I said before, we do that just like we did with Sysmone, it's quite 0:01:09.040000 --> 0:01:14.500000 important that we go through some of the key high-value Windows Event 0:01:14.500000 --> 0:01:20.760000 IDs that again as the title suggests, every responder should know. 0:01:20.760000 --> 0:01:25.980000 So just to introduce you to this and sort of give you an understanding 0:01:25.980000 --> 0:01:28.300000 as to why this is important. 0:01:28.300000 --> 0:01:33.240000 In the ever-evolving landscape of cyber threats, Windows Event Logs serve 0:01:33.240000 --> 0:01:38.200000 as one of the most powerful tools in an incident responder's arsenal and 0:01:38.200000 --> 0:01:43.240000 these logs provide granular visibility into everything from user logins 0:01:43.240000 --> 0:01:48.140000 and privilege changes to process execution and network access. 0:01:48.140000 --> 0:01:53.180000 But the vast volume of logs generated by a typical Windows environment 0:01:53.180000 --> 0:01:57.580000 can be overwhelming as you've seen up to this point, right? 0:01:57.580000 --> 0:02:02.520000 And as a result, knowing which Event IDs matter the most is key to cutting 0:02:02.520000 --> 0:02:03.460000 through the noise. 0:02:03.460000 --> 0:02:10.780000 Now, of course, not all Windows Event IDs are equal, as it were, especially 0:02:10.780000 --> 0:02:12.780000 for you as an incident responder. 0:02:12.780000 --> 0:02:20.580000 Now, what I'm going to highlight in your list is that every Windows Event 0:02:20.580000 --> 0:02:23.280000 ID that every responder should know. 0:02:23.280000 --> 0:02:27.680000 It is, I would say, 80 to 90% of everything that you should know specific 0:02:27.680000 --> 0:02:30.000000 to Windows Event IDs. 0:02:30.000000 --> 0:02:32.480000 I'm not including Sysmone in this. 0:02:32.480000 --> 0:02:38.100000 And as a result, at the end of these slides, I've provided you with some 0:02:38.100000 --> 0:02:43.140000 references that'll provide, that essentially give you access to pretty 0:02:43.140000 --> 0:02:47.740000 much all of the Windows Event IDs or a directory of them. 0:02:47.740000 --> 0:02:50.940000 But let's not waste too much time on that. 0:02:50.940000 --> 0:02:54.960000 Let's start off with authentication and log on events. 0:02:54.960000 --> 0:02:57.520000 So there's going to be this table has three columns. 0:02:57.520000 --> 0:03:01.980000 You have your Event ID, the description and why it matters to you specifically. 0:03:01.980000 --> 0:03:07.060000 So starting off with Event ID 4624, whenever you see that, just know you're 0:03:07.060000 --> 0:03:08.880000 dealing with a successful log on. 0:03:08.880000 --> 0:03:15.940000 But more specifically, as we explored early on in this course, in terms 0:03:15.940000 --> 0:03:21.280000 of why it matters, it allows you to know who logged in and more importantly, 0:03:21.280000 --> 0:03:28.140000 how. So within Windows Event log with the Event ID of 4624, you're going 0:03:28.140000 --> 0:03:32.960000 to see authentication types, denoted by the type field. 0:03:32.960000 --> 0:03:41.560000 So when you see a type two, that means it's RDP. 0:03:41.560000 --> 0:03:45.660000 So hopefully that makes it simpler for you to analyze. 0:03:45.660000 --> 0:03:49.140000 You then have 4625, which is a failed log on. 0:03:49.140000 --> 0:03:52.880000 So this is very useful for detecting brute force of credential stuffing 0:03:52.880000 --> 0:03:55.780000 attempts, passwords, praying, etc. 0:03:55.780000 --> 0:03:57.460000 You then have 4648. 0:03:57.460000 --> 0:04:01.640000 This is a log on using explicit credentials. 0:04:01.640000 --> 0:04:08.600000 So often used or is, this is often the case when there is a pass the hash 0:04:08.600000 --> 0:04:11.140000 or take it attacks. 0:04:11.140000 --> 0:04:13.960000 And then you have 4675. 0:04:13.960000 --> 0:04:16.900000 In this case, the SIDs were filtered. 0:04:16.900000 --> 0:04:22.540000 So this is one that's quite, I wouldn't say rare, but it's quite nuanced 0:04:22.540000 --> 0:04:27.820000 in that it can indicate a user log on attempt with added SIDs. 0:04:27.820000 --> 0:04:32.540000 So the indicator here or the type of malicious activity that this would 0:04:32.540000 --> 0:04:36.020000 correlate to would be privilege abuse. 0:04:36.020000 --> 0:04:38.240000 You then have user account and privilege management. 0:04:38.240000 --> 0:04:43.320000 These are very important as you can, as I'm sure you've guessed. 0:04:43.320000 --> 0:04:45.740000 So again, you're using the same column. 0:04:45.740000 --> 0:04:53.160000 So Event ID 4720, this is, this indicates a user account was created. 0:04:53.160000 --> 0:04:54.380000 Why does it matter? 0:04:54.380000 --> 0:04:59.700000 Unusual new accounts can indicate persistence as we saw when we were performing 0:04:59.700000 --> 0:05:03.160000 our scene based log analysis, if you remember. 0:05:03.160000 --> 0:05:05.400000 And then we have 4722. 0:05:05.400000 --> 0:05:08.580000 This indicates a user account has been enabled. 0:05:08.580000 --> 0:05:12.620000 And you know, why this matters is it can show reactivation of dormant 0:05:12.620000 --> 0:05:18.120000 accounts. You know, for example, the built in guest or stuff like this. 0:05:18.120000 --> 0:05:22.000000 And then you have 4723, 4724. 0:05:22.000000 --> 0:05:25.760000 These are indicators of password changes or reset. 0:05:25.760000 --> 0:05:29.140000 So, you know, it may indicate account compromise or lateral movement, 0:05:29.140000 --> 0:05:33.680000 not always the case, but it's always important to keep your eye out or 0:05:33.680000 --> 0:05:37.880000 to keep your eyes open for those event IDs. 0:05:37.880000 --> 0:05:41.620000 You then have 4732, 4756. 0:05:41.620000 --> 0:05:44.840000 This indicates that a user account was added to a security group. 0:05:44.840000 --> 0:05:48.640000 This is extremely critical for spotting privilege escalation. 0:05:48.640000 --> 0:05:53.880000 And that is, you know, fairly obvious based on the description. 0:05:53.880000 --> 0:05:59.160000 You then have 4670, which indicates permissions on an object were changed. 0:05:59.160000 --> 0:06:02.500000 So this is very, or the reason this matters is because it allows you to 0:06:02.500000 --> 0:06:05.100000 watch for changes to high value objects. 0:06:05.100000 --> 0:06:09.740000 For example, the admin groups, all specific files, you know, so on and 0:06:09.740000 --> 0:06:13.840000 so forth. And then you have service and tasks scheduling. 0:06:13.840000 --> 0:06:18.560000 This is very good, generally speaking, for persistence, right? 0:06:18.560000 --> 0:06:22.820000 And or, you know, detecting an analyzing persistence. 0:06:22.820000 --> 0:06:28.540000 So event ID 7 045, this indicates that a new service was installed. 0:06:28.540000 --> 0:06:31.980000 The reason it matters is because this is a common persistence method, 0:06:31.980000 --> 0:06:34.420000 you know, persistence via services. 0:06:34.420000 --> 0:06:37.460000 And then you have 4697. 0:06:37.460000 --> 0:06:41.600000 This indicates that, you know, service was installed or service installation, 0:06:41.600000 --> 0:06:43.560000 generally speaking. 0:06:43.560000 --> 0:06:47.640000 Why this matters is because another, it's another service related event 0:06:47.640000 --> 0:06:52.660000 for detection. And then you have one that's, you may not have figured 0:06:52.660000 --> 0:06:57.360000 is common, but that is 106 specific to the task scheduler. 0:06:57.360000 --> 0:07:04.300000 So the description or this is, you know, this allows you to identify tasks 0:07:04.300000 --> 0:07:05.300000 that have been created. 0:07:05.300000 --> 0:07:12.040000 So the reason it matters is it's used for persistence or executing payloads. 0:07:12.040000 --> 0:07:15.840000 He then have object access and file changes. 0:07:15.840000 --> 0:07:19.160000 So we have event ID 4663. 0:07:19.160000 --> 0:07:22.040000 This indicates that an object has been accessed. 0:07:22.040000 --> 0:07:25.880000 Okay. So the reason it matters because it can be used to track access 0:07:25.880000 --> 0:07:28.500000 to sensitive files or registry keys. 0:07:28.500000 --> 0:07:31.940000 However, it needs proper auditing set up. 0:07:31.940000 --> 0:07:37.560000 And then you have 4656, which is indicates a handle to object requested. 0:07:37.560000 --> 0:07:44.960000 So it precedes 4663 object access and is useful for detecting access attempts. 0:07:44.960000 --> 0:07:48.580000 He then have log off and session tracking. 0:07:48.580000 --> 0:07:51.300000 So 4634, that's a log off. 0:07:51.300000 --> 0:07:54.760000 And the reason it matters, or how this can be leveraged is to you correlate 0:07:54.760000 --> 0:07:58.500000 it with 4624, or session duration. 0:07:58.500000 --> 0:08:01.120000 So 4624 remember was log on. 0:08:01.120000 --> 0:08:04.360000 Let me go back here. 0:08:04.360000 --> 0:08:05.180000 Right over here. 0:08:05.180000 --> 0:08:07.740000 So 4624, you have your log on. 0:08:07.740000 --> 0:08:11.260000 And the reason you correlate it is to see the duration of the activity, 0:08:11.260000 --> 0:08:15.640000 or you know, specific to a particular user account. 0:08:15.640000 --> 0:08:19.760000 So 4624, let me just take a step back. 0:08:19.760000 --> 0:08:22.140000 You correlated with 4634. 0:08:22.140000 --> 0:08:29.340000 So 4624, 4634, 4624 log on 4634 log off. 0:08:29.340000 --> 0:08:31.600000 And then you have 4647. 0:08:31.600000 --> 0:08:35.060000 This is used to indicate a user initiated log off. 0:08:35.060000 --> 0:08:38.620000 This is very useful because it can help you distinguish a user from system 0:08:38.620000 --> 0:08:43.140000 actions. And then you have 4778, 4779. 0:08:43.140000 --> 0:08:46.860000 This is RDP session, reconnect or disconnect. 0:08:46.860000 --> 0:08:55.680000 Again, that is, you know, I would say. 0:08:55.680000 --> 0:09:00.500000 And that is because it's useful in tracing remote access session. 0:09:00.500000 --> 0:09:04.040000 So these are sort of the key ones that I like bringing up. 0:09:04.040000 --> 0:09:07.200000 Or I like mentioning, there's a lot more than this. 0:09:07.200000 --> 0:09:11.840000 And as part of that, I've added some of the key resources or references 0:09:11.840000 --> 0:09:14.420000 that I usually point students to. 0:09:14.420000 --> 0:09:18.200000 The first is, you know, arguably the most important, which is Microsoft's 0:09:18.200000 --> 0:09:21.200000 official appendix L events to monitor. 0:09:21.200000 --> 0:09:26.220000 So this is a high priority catalog of Windows event IDs, including critical 0:09:26.220000 --> 0:09:30.020000 high and medium critical events directly from Microsoft guidance. 0:09:30.020000 --> 0:09:32.160000 And then you have the link there. 0:09:32.160000 --> 0:09:33.940000 There's also another great link here. 0:09:33.940000 --> 0:09:38.280000 That's the ultimate Windows security, security log encyclopedia. 0:09:38.280000 --> 0:09:48.480000 As the name suggests, say comprehensive, browsable, encyclopedia covering 0:09:48.480000 --> 0:09:51.860000 you this, I'm just going to switch over into my browser tab and just walk 0:09:51.860000 --> 0:09:55.580000 you through one or even both of these resources. 0:09:55.580000 --> 0:09:57.220000 So just give me a second. 0:09:57.220000 --> 0:09:59.340000 All right, so I'm currently in my browser. 0:09:59.340000 --> 0:10:04.320000 And you can see I'm currently on the Microsoft appendix L events to monitor. 0:10:04.320000 --> 0:10:08.540000 So you can see, as it says here, the following table lists events that 0:10:08.540000 --> 0:10:11.060000 you should monitor in your environment, according to the recommendations 0:10:11.060000 --> 0:10:14.880000 providing in monitoring active directory for signs of compromise. 0:10:14.880000 --> 0:10:18.160000 Another great resource that's hyperlinked here. 0:10:18.160000 --> 0:10:22.180000 All organizations should test these recommendations in the environments 0:10:22.180000 --> 0:10:26.840000 before creating alerts that require mandatory investigative responses. 0:10:26.840000 --> 0:10:30.060000 Each environment is different in some of the events ranked with a potential 0:10:30.060000 --> 0:10:34.580000 criticality of high might occur due to other harmless events. 0:10:34.580000 --> 0:10:37.820000 So they're telling you to, you know, be aware of false positives. 0:10:37.820000 --> 0:10:39.840000 So this is the table here. 0:10:39.840000 --> 0:10:43.580000 You have the current Windows event ID and then more importantly, the legacy 0:10:43.580000 --> 0:10:48.100000 Windows event ID and the potential criticality and then the event summary. 0:10:48.100000 --> 0:10:53.960000 So you can expand the table and go through it in a much, much better format. 0:10:53.960000 --> 0:10:59.760000 And yeah, so you know, if I just to verify, let's do 4624, I'll just search 0:10:59.760000 --> 0:11:05.220000 for that here. No, that's 4634, 4624. 0:11:05.220000 --> 0:11:10.680000 You can see that's a log on here, 4634, which is one you'd correlate it 0:11:10.680000 --> 0:11:14.300000 with, you know, is used to track log offs. 0:11:14.300000 --> 0:11:16.980000 So 4634 account was logged off there. 0:11:16.980000 --> 0:11:22.940000 So this is a great reference to have at hand, not just because of instant 0:11:22.940000 --> 0:11:27.740000 response over the purpose of instant response, but also, you know, just 0:11:27.740000 --> 0:11:28.840000 as a general reference. 0:11:28.840000 --> 0:11:32.780000 And this is one of the links that I keep bookmarked. 0:11:32.780000 --> 0:11:36.420000 So yeah, that's really all that I wanted to showcase is said it's fairly 0:11:36.420000 --> 0:11:40.600000 straightforward with regards to this being a resource or a reference. 0:11:40.600000 --> 0:11:45.160000 So definitely make use of it as it is quite important. 0:11:45.160000 --> 0:11:54.120000 All right, so that is it with regard to the key or high value Windows 0:11:54.120000 --> 0:11:57.220000 event IDs that every responder should know. 0:11:57.220000 --> 0:11:59.980000 And with that being said, that's going to be it for this video. 0:11:59.980000 --> 0:12:03.320000 And I will be seeing you in the next video.