Categories
Detection

Introduction to Event Log Analysis

Introduction to Event Log

Event Log

During an investigation, Event Logs are tracked because they have a comprehensive form of activities. The “Event Viewer” tool can be used to simply examine the logs.

It is often possible to obtain the following evidence with event log analysis:
-Service start, stop
-RDP activity
-Changing user privileges
-Failed login activities

These actions are among the most basic actions seen in any cyber attack. Therefore, event log analysis is really important to find the root cause of the cyber attack.

In Windows systems, there are three main event log titles as Application, System and Security.

Application

It provides log records related to the applications in the system. For example, you can find errors received by an antivirus application running on the system.

Another example is the log generated by edgeupdate:

System

It is the area where the logs created by the basic components of the operating system are located. For example, logs for a driver loads and unloads operations can be found here.

Security

Records regarding authentication and security are kept here. This is the part we will focus on most during the training.

Analysis Successful Logon Events

Quick Start to Event Logs

Each event log has its own ID value. Filtering, analyzing and searching the log title is more difficult, so it is easy to use the ID value.

You can find the details of which Event ID value means what from the URL address below.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Investigation of Login Records

Considering the general situation, a login activity appears in all successful or unsuccessful cyberattacks. An attacker often wants to log into the server to take over the system. For this purpose, it can perform brute force attack or directly login with the password in hand. In both cases (successful login / unsuccessful login attempt) the log will be created.

Let’s consider an attacker logged into the server after a brute force attack. To better analyze what the attacker did after entering the system, we need to find the login date. For this, we need “Event ID 4624 – An account was successfully logged on”.

Log file for lesson:

Log_File.zip Pass=321

To reach the result, we open the “Event Viewer” and select “Security” logs.

Then we create a filter for the “4624” Event ID.

And now we see that the number of logs has decreased significantly and we are only listing logs for successful login activities. Looking at the log details, we see that the user of “LetsDefendTest” first logged in at 23/02/2021 10:17 PM.

Even when we look at the “Logon Type” field, we see the value 10. This indicates that you are logged in with “Remote Desktop Services” or “Remote Desktop Protocol”.

You can find the meaning of the logon type values on Microsoft’s page.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

In the next section, we will detect the Brute force attack the attacker made before logging in.

Share on social media