Introduction to Event Log
During an investigation, Event Logs are tracked because they have a comprehensive form of activities. The “Event Viewer” tool can be used to simply examine the logs.
It is often possible to obtain the following evidence with event log analysis:
-Service start, stop
-Changing user privileges
-Failed login activities
These actions are among the most basic actions seen in any cyber attack. Therefore, event log analysis is really important to find the root cause of the cyber attack.
In Windows systems, there are three main event log titles as Application, System and Security.
It provides log records related to the applications in the system. For example, you can find errors received by an antivirus application running on the system.
Another example is the log generated by edgeupdate:
It is the area where the logs created by the basic components of the operating system are located. For example, logs for a driver loads and unloads operations can be found here.
Records regarding authentication and security are kept here. This is the part we will focus on most during the training.
Analysis Successful Logon Events
Quick Start to Event Logs
Each event log has its own ID value. Filtering, analyzing and searching the log title is more difficult, so it is easy to use the ID value.
You can find the details of which Event ID value means what from the URL address below.
Investigation of Login Records
Considering the general situation, a login activity appears in all successful or unsuccessful cyberattacks. An attacker often wants to log into the server to take over the system. For this purpose, it can perform brute force attack or directly login with the password in hand. In both cases (successful login / unsuccessful login attempt) the log will be created.
Let’s consider an attacker logged into the server after a brute force attack. To better analyze what the attacker did after entering the system, we need to find the login date. For this, we need “Event ID 4624 – An account was successfully logged on”.
Log file for lesson:
To reach the result, we open the “Event Viewer” and select “Security” logs.
Then we create a filter for the “4624” Event ID.
And now we see that the number of logs has decreased significantly and we are only listing logs for successful login activities. Looking at the log details, we see that the user of “LetsDefendTest” first logged in at 23/02/2021 10:17 PM.
Even when we look at the “Logon Type” field, we see the value 10. This indicates that you are logged in with “Remote Desktop Services” or “Remote Desktop Protocol”.
You can find the meaning of the logon type values on Microsoft’s page.
In the next section, we will detect the Brute force attack the attacker made before logging in.