Windows Event Logs & Finding Evil
Last updated
Last updated
Event logs can be accessed using the Event Viewer application or programmatically using APIs such as the Windows Event Log API.
"Forwarded Events" section is unique, showcasing event log data forwarded from other machines.
Log Name: The name of the event log (e.g., Application, System, Security, etc.).
Source: The software that logged the event.
Event ID: A unique identifier for the event.
Task Category: This often contains a value or name that can help us understand the purpose or use of the event.
Level: The severity of the event (Information, Warning, Error, Critical, and Verbose).
Keywords: Keywords are flags that allow us to categorize events in ways beyond the other classification options. These are generally broad categories, such as "Audit Success" or "Audit Failure" in the Security log.
User: The user account that was logged on when the event occurred.
OpCode: This field can identify the specific operation that the event reports.
Logged: The date and time when the event was logged.
Computer: The name of the computer where the event occurred.
XML Data: All the above information is also included in an XML format along with additional event data.
"Filter Current Log" -> "XML" -> "Edit Query Manually"
useful Windows event logs.
Windows System Logs
Windows Security Logs
Event ID 4624 provides insights into new logon events
Event ID 4688 furnishes information about newly created processes
System Monitor (Sysmon) is a Windows system service and device driver that remains resident across system reboots to monitor and log system activity to the Windows event log.Sysmon provides:
detailed information about process creation
network connections
changes to file creation time
more
Event ID 1 corresponds to "Process Creation" events
Event ID 3 refers to "Network Connection" events
Sysmon uses an XML-based configuration file
To detect a DLL hijack, we need to focus on Event Type 7
modify the sysmonconfig-export.xml
"include" comment signifies events that should be included
DLL hijacks change the "include" to "exclude" to ensure that nothing is excluded to capture the necessary data
C:\Tools\Sysmon> sysmon.exe -c sysmonconfig-export.xml
Event Viewer and access "Applications and Services" -> "Microsoft" -> "Windows" -> "Sysmon."
Download reflective_dll.x64.dll
Rename reflective_dll.x64.dll to WININET.dll
Move calc.exe from C:\Windows\System32 to a writable directory
Move WININET.dll to a writable directory
Execute calc.exe
Analyze the impact of the hijack.
Filter the event logs to focus on Event ID 7
Filter Current Log
search for instances of "calc.exe"
Click "Find"
Identify the DLL load associated with hijack
Compare this to an authenticate load of "wininet.dll" by "calc.exe".
Compare:
Image:
ImageLoaded:
FileVersion:
Description:
Product:
Company:
OriginalFileName:
Hashes
Signed:
Signature:
SignatureStatus:
IOC:
"calc.exe", originally located in System32
should not be found in a writable directory
should always reside in System32
potentially Syswow64
"WININET.dll", originally located in System32
should not be loaded outside of System32 by calc.exe
"WININET.dll" loading occur outside of System32 with "calc.exe" as the parent process indicates a DLL hijack within calc.exe.
Original "WININET.dll" is Microsoft-signed, while our injected DLL remains unsigned.
C# requires a backend runtime to execute its code.
(System Shutdown/Restart): This event log indicates when and why the system was shut down or restarted. By monitoring these events, you can determine if there are unexpected shutdowns or restarts, potentially revealing malicious activity such as malware infection or unauthorized user access.
(The Event log service was started): This event log marks the time when the Event Log Service was started. This is an important record, as it can signify a system boot-up, providing a starting point for investigating system performance or potential security incidents around that period. It can also be used to detect unauthorized system reboots.
(The Event log service was stopped): This event log signifies the moment when the Event Log Service was stopped. It is typically seen when the system is shutting down. Abnormal or unexpected occurrences of this event could point to intentional service disruption for covering illicit activities.
(Windows uptime): This event occurs once a day and shows the uptime of the system in seconds. A shorter than expected uptime could mean the system has been rebooted, which could signify a potential intrusion or unauthorized activities on the system.
(Service status change): This event indicates a change in service startup type, which could be from manual to automatic or vice versa. If a crucial service's startup type is changed, it could be a sign of system tampering.
(The audit log was cleared): Clearing the audit log is often a sign of an attempt to remove evidence of an intrusion or malicious activity.
(Antivirus malware detection): This event is particularly important because it logs when Defender detects a malware. A surge in these events could indicate a targeted attack or widespread malware infection.
(Antivirus remediation activity has started): This event signifies that Defender has begun the process of removing or quarantining detected malware. It's important to monitor these events to ensure that remediation activities are successful.
(Antivirus remediation activity has succeeded): This event signifies that the remediation process for detected malware has been successful. Regular monitoring of these events will help ensure that identified threats are effectively neutralized.
(Antivirus remediation activity has failed): This event is the counterpart to 1119 and indicates that the remediation process has failed. These events should be closely monitored and addressed immediately to ensure threats are effectively neutralized.
(Successful Logon): This event records successful logon events. This information is vital for establishing normal user behavior. Abnormal behavior, such as logon attempts at odd hours or from different locations, could signify a potential security threat.
(Failed Logon): This event logs failed logon attempts. Multiple failed logon attempts could signify a brute-force attack in progress.
(A logon was attempted using explicit credentials): This event is triggered when a user logs on with explicit credentials to run a program. Anomalies in these logon events could indicate lateral movement within a network, which is a common technique used by attackers.
(A handle to an object was requested): This event is triggered when a handle to an object (like a file, registry key, or process) is requested. This can be a useful event for detecting attempts to access sensitive resources.
(Special Privileges Assigned to a New Logon): This event is logged whenever an account logs on with super user privileges. Tracking these events helps to ensure that super user privileges are not being abused or used maliciously.
(A scheduled task was created): This event is triggered when a scheduled task is created. Monitoring this event can help you detect persistence mechanisms, as attackers often use scheduled tasks to maintain access and run malicious code.
& (A scheduled task was enabled/disabled): This records the enabling or disabling of a scheduled task. Scheduled tasks are often manipulated by attackers for persistence or to run malicious code, thus these logs can provide valuable insight into suspicious activities.
(A scheduled task was updated): Similar to 4698, this event is triggered when a scheduled task is updated. Monitoring these updates can help detect changes that may signify malicious intent.
(System audit policy was changed): This event records changes to the audit policy on a computer. It could be a sign that someone is trying to cover their tracks by turning off auditing or changing what events get audited.
(A user account was changed): This event records any changes made to user accounts, including changes to privileges, group memberships, and account settings. Unexpected account changes can be a sign of account takeover or insider threats.
(Kerberos pre-authentication failed): This event is similar to 4625 (failed logon) but specifically for Kerberos authentication. An unusual amount of these logs could indicate an attacker attempting to brute force your Kerberos service.
(The domain controller attempted to validate the credentials for an account): This event helps track both successful and failed attempts at credential validation by the domain controller. Multiple failures could suggest a brute-force attack.
(Antivirus real-time protection configuration has changed): This event indicates that the real-time protection settings of Defender have been modified. Unauthorized changes could indicate an attempt to disable or undermine the functionality of Defender.
(A network share object was accessed): This event is logged whenever a network share is accessed. This can be critical in identifying unauthorized access to network shares.
(A network share object was added): This event signifies the creation of a new network share. Unauthorized network shares could be used to exfiltrate data or spread malware across a network.
(A network share object was checked to see whether client can be granted desired access): This event indicates that someone attempted to access a network share. Frequent checks of this sort might indicate a user or a malware trying to map out the network shares for future exploits.
(The Windows Filtering Platform has blocked a connection): This is logged when the Windows Filtering Platform blocks a connection attempt. This can be helpful for identifying malicious traffic on your network.
(A service was installed in the system): A sudden appearance of unknown services might suggest malware installation, as many types of malware install themselves as services.
Download
Instead of the Calculator application, a is displayed.
powershell.exe, by right-clicking on powershell.exe, clicking "Properties", and navigating to "Modules", we can find relevant information. The presence of "Microsoft .NET Runtime...", clr.dll, and clrjit.dll should attract our attention. 
