Chapter 18 - 02 - Discuss Log Monitoring and Analysis on Windows Systems - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 18 - 01 - Understand Igging Concepts - 01_ocred_fax_ocred.pdf
- Chapter 18 - 02 - Discuss Log Monitoring and Analysis on Windows Systems - 02_ocred_fax_ocred.pdf
- Chapter 18 - 03 - Discuss Log Monitoring and Analysis on Linux - 01_ocred_fax_ocred.pdf
- Chapter 18 - 03 - Discuss Log Monitoring and Analysis on Linux - 02_ocred_fax_ocred.pdf
- Chapter 18 - 04 - Discuss Various Log Management Tools_ocred_fax_ocred.pdf
- logcat1727517040134.txt
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Module Flow Discus...
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Module Flow Discuss Log Monitoring Understand Logging and Analysis on Windows Concepts Systems Discuss Various Log @ Discuss Log Monitoring Management Tools and Analysis on Linux Discuss Log Monitoring and Analysis on Windows Systems The objective of this section is to explain monitoring and analysis of logs in Windows systems. It describes Windows event logs, their types, and how to monitor and analyze them. Module 18 Page 2077 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis O Wwindows OS tracks various events, activities, and functions through logs O Windows event logs, consisting of a header and a series of event records, provide a *° standard, centralized way for applications (and the OS) to record important Wlndows WlndOWS software and hardware events Logs O Windows windows Event log audit configurations (i.e., log retention, log size, etc.) are recorded based on the registry key: HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services MACHINE\SYSTEM\CurrentControlSet\Services\Even \Even tLog\ BW Regatry Regutry Edtor Eddor - =} o X Fle Edt Ed1 Yiew Fgvertes Favortes Help [Computen HKEY_LOCAL MACHNE\SYSTEM MACHINE\SYSTEM) CurrentControlSet\Services\ CurrentContrelSet\Senvices\ EventLog| Eventlog| ||| EntAppSec EntAppSwc AA || Name Name Type Type Data Data AA [}| EnDev )o) Defavtt) Defauk) REG_SZ (value not set) i) X ESINT 25 Description 35 REG_SZ K\KB\ system32\wevtsve.dil @ %SystemRoctsystem3Q\wevtsve.dil -- 201 v “""'“:" ¥¥ DigplayName DisplayName REG_SZ REG_SZ ©%SystemRoot ¥\system3Z\wevtsve.dil -200 ©%SystemRoot K\system32\wevtsve.dil - 200 Applcation E7. :‘:f’;:‘:;mi mfd““(\ms )4 EnrorControl EnorControl REG_DWORD 000000001 (1) B Intemet || intermet Explorer Explorer =1 FadureActions FailureActions REG_BINARY REG_BINARY 20510100 £051010000000000 00 00 0000 0000 0000 00 00 0000 0303 00 00 0000 0000 1414 0000 — —_— ’ ' fl Key Management Service, Key Management Service| || £+L FadureActionsOnNonCrashFadures FalureictionsOntonCrashfaiures REGREG_DWORD DWORD 000000001 000000001 (1) (1) —— — | Ollents Ohlents *¥ Group *» REG_SZ Event Log im Security 25/ ImagePath a5 imagePath REG_EXPAND SZ SZ SSystemRoot NSystemRoct %\ System32\svchost.exe System32\svchost.exe -k LocatSer, LocalSer, System System ¥ ObjectName +b REG_SZ NT AUTHORITY\LocalSenvice AUTHORITY\LocalSenace | TechSmah TechSmah T1 PlugPlaySenviceType PlugPlayService Type REG_DWORD REG_DWORD 00000003 00000003 (3) (3) _ __Windows Windows PowerShell PowerShell |, || ***¥ RequiredPrrileges RequiredPrrileges REG_MULTI_SZ REG_MULTI_SZ SeChangeNotdyPrivilege SeimpertonatePrralege SeChangeNotdyPrivilege SeimpersonatePrrvilege SS < > < > Windows Logs Windows event logging service collects events from multiple sources and keeps them in a single location known as Windows event log. These logs act as the primary source of evidence for all important actions/activities on a Windows system. Windows event log contains logs of system, security, and application notifications that are monitored and analyzed by security professionals to detect issues in the system. It provides a standard, centralized way for applications (and the 0S) to record important software and hardware events. It uses a structured data format that simplifies the process of searching and filtering for a particular type of log. Windows event log files can be viewed through Event Viewer, which is the programming interface that facilitates analysis of these logs. Each event is a log entry that includes information such as event time, event source that caused the event, event type (Information, Warning, Error, Success Audit, or Failure Audit), and event ID for the event type. Windows event log audit configurations, that is, log retention, log size, etc. are recorded based on the below registry key. HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ This key comprises various subkeys, which are known as logs. Each log includes registry values such as CustomSD, DisplayNameFile, DisplayNamelD, File, MaxSize, etc., which can be configured as per requirement. Module 18 Page 2078 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis B Registry Editor —- m] a X File Eile Edit View Favorites Help Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentC Computef\HKEY_LQCAL_MACHINE\SYS‘IEMCunentCon!rulSet\Servi:es\Eventl.ogl ontrolSet\Services\Eventlogl >. EntAppSvc ~~ 1|| Name Name Type Data Lo,A _| EmDev EnDev 5] (Default) a5 (Default) REG_SZ REG_SZ (value not (value not set) set) oJ ESENT :‘S'::JT ab| 28] Description Description REG_SZ @%SystemRoct%\system32\wevtsve.dll, @%SystemRoot %\system32\wevtsve.dll,-201- 201 v l EventLog M !. A:)l;:l’ization 2| !‘ DisplayName REG_SZ @%SystemRoot %\system32\wevtsve.dll,-200 %\system32\wevtsve.dll,- 200 >. Application %3 ErrorControl #4 ErrorControl REG_DWORD REG_DWORD 0x00000001 000000001 (1) _ HardwareEvents. 7% 4| FailureActions REG_BINARY £0 51510100 0100 0000 0000 00 00 0000 00 00 00 03 00 00 00 14 00 _Internet Explorer Internet Explorer >> KeyManagement Key Service Management Service 73] FailureActionsOnNonCrashFailures 7% REG_DWORD 000000001 (1) 0x00000001 OAlerts > | ORlerts %) %] Group Group REG_SZ REG_SZ Event Log >> | Security Security ab]ImagePath 2] ImagePath REG_EXPAND_SZ %SystemRoot %6\System32\svchost.exe %SystemRoot %\System32\svchost.exe -k LocalSer. >>. System System A5 ObjectName ‘5 REG_SZ REG_SZ NT AUTHORITY\LocalService > TechSmith 7% PlugPlayServiceType 75| REG_DWORD 000000003 (3) >>. Windows Windows PowerShell PowerShell v|, || ab] 28| RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege SelmpersonatePrivilege S ,|, < >> < > Figure 18.2: Screenshot of Registry Editor Windows Event Log File Internals In simple terms, Windows event log files are databases with records related to the system, security, and applications. The databases related to the system are stored in a file named System.evtx, the databases related to security are stored in a file named Security.evtx, and the databases related to applications are stored in a file named Application.evtx. These Windows event log files are stored in C: \Windows\System32\winevt\Logs folder, as shown in the below figure: B! A2 HB s Logs logs _ Home Share View € — v 4A r‘ IE « System32 > winevt Logsl l > Logs v v O Search Logs ~ £x Name Name Date modified Type > * % i AMSI%40perational.evtx AMSI%AO0perational.evtx 9/20/2018 4:37 PM Event Log ~ WO oW © 2 = o = N o o o & 2L Application.evtx 9/20/2018 4:43 AM — S (3] Application.evtx Event Log mwmwmmmmmmmmmm 4w Kl no b » & v WY W O o o 0 2 w = o X NN \ {3} HardwareEvents.evtx HardwareEvents.evtx 5/21/2018 5:28 PM Event Log o o o 0 © 8 - - X e i [m Internet Explorer.evtx Internet Explorer.evtx 5/21/2018 5:28 PM Event Log - oW O - X — - = N o o 0 & oo. {31 & Key Management Service.evix Service.evtx 5/21/2018 5:28 PM Event Log phrd % © 1 - o ¢ O = R C Microsoft-AppV-Client%:4Admin.evix Microsoft-AppV-Client%4Admin.evtx 9/20/2018 4:37 PM Event Log ot W &5 N o o N X © L ' m Microsoft-AppV-Client%40perational.evtx 9/20/2018 4:37 PM Event Log - 1 F N '-————l =B -© & X © e o = o Wwow I Microsoft-AppV-Client2%4Virtual Applications.evtx Microsoft-AppV-Client%4Virtual 9/20/2018 4:37 PM Event Log 23388 - 4 2e o ~ e Q o o— < - X [ Microsoft-Client-Licensing-Platform%4Admin.evtx {3} Microsoft-Client-Licensing-Platform%4Admin.evtx 9/18/2018 3:16 PM Event Log (o] w N o - o w o © o - X = p Microsoft-User Experience Virtualization-Agent Drive... 9/20/20128 4:37 PM Event Log pe 1 oo 3= WO >© o- S X o W o ' [d] m Microsoft-User Experience Virtualization-App Agent.. Agent... 9/20/2018 4:37 PM Event Log «© o Fe X © 0 o =o z W [P {3} Microsoft-User Experience Virtualization-IPC%40per... 9/20/2012 4:37 PM Mo Event Log -~ (s et W0 © O o o - J h WoW p ” m Microsoft-User Experience Virtualization-SQM Uploa... 9/20/2018 4:37 PM Event Log (e8] -~ 1 by [+ © o — P & o o N O P p 369 items w 3= 3 Figure 18.3: Screenshot of Windows event log files All.evtx files can be opened and read with Event Viewer. Module 18 Page 2079 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Windows Event Log Types and Entries QO Event Viewer provides - a quick overview of when, where, and how an event o - o- o wigmarme WW Evert i & Viewer ewer IRL -- [&] o xx occurred e e oD am NG BE Q Check Windows Event Log for various types of logs: (@L iy v Vieow o
