Chapter 18 - 02 - Discuss Log Monitoring and Analysis on Windows Systems - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Event Types
W]Bl Event Viewer
Event Type
File Action View
File View Help
Milp
| m m
An event indicates a significant problem such as loss of data or «=|am
e am @ m
@
1 W 1) Applic. %
Error loss of functionality. For example, if aa service fails to load during ulb &,;':Lf,,,,'lfif
Corntiom :
startup, an Error event is |ossed «v [(& Windows Logs Level Date and Time
Dete Source Event 1D
Evert Task Categon,
Tosk Categony *
[+] Applcation
[+ (1) Information
(D) nformation 9222018 12060 PM ESENT
22018120600 916 General
An event that is not necessarily significant but may indicate a o] Secunty r‘o;.nno.m.hon | /202018
(Dinformation 120014PMPM Wind..
$/23/2018 1200:14 Wind.. 1001 None
e future probil [[ ]] Sevp
Seavp W fnor
o V012120002 P
97232018 120012 PV Apph.,
Apph.. 1000
1000 (100)
(100}
”,u*
- fl‘“lf.
re Pr '.m' For
For examp'e’
exampie‘ when disk
diSk Space is
|5 IO“I'
|OVV, a Iv] System
[+] | D(1) information
information WNR0ENMNWBN
W0 NN A Secur,
Secur.. 15 None
Warning Warning event is logged. If an application can recover from an [(] ] Formarded
Forwarded bvents
tvents |§ (D(D information
information || - 923201
9232018 12011
11281144 Secur.
Secur, 15 None
event without loss of functionality or data, it can generally classify ' ;: :W';:'*’"‘
:W':\"*‘"' and Sara
Sera | § (Dinformation
(D intormation | 9202018
9232018 112748
1N204A A Secur..
Secur.. 16084
16384 None
)> ) Sevedlogs
deved Loy (1D) Information 232018
W20 N2TNT
N2TT A Secur...
Secur,.. 16394
16394 None
the event as a Warning event 1.5. Subscriptions (Dinformation
(Dintormation | 9232002
9232018 1105004
11050 A ESENT 516
916 General
An event successfu operation D iatomaton | 2220021004004 FSENT 96 General
that describes successful operation of an application, f:;:":m‘:'o" ::,g:: ;im;::‘ :::: ::: g'm:
An event that describes A ofan app"catlon' (DU information
information A9
/2372 3 AM ESENT §16 General
enersl
driver,
driver, or service. For
or service. For example,
example, when
when aa network
network driver
driver loads
loads D intormation || 9232018
(Dinformation 523201290300
90000 AMAM ESENT
ESENT 916
516 Genens
General
Information successfully,
successfully, it may be appropriate to log an Information event. (Dintormation | - 9/21/2012
(Dinformation 92372018 80200
80200 AM ESENT 916 Genenl
Note that it is generally inappropriate for a desktop application to
l’:)ogt:nt';:lte::tl:g::::::levl:n:t:rpfiopflate fol' a deSktop appltafion to
j:;::::::m
(D informaton
(D intormation
:’:,’g::bf“)zffi
S/232018 TOL00AM
2018 60000 AN
:fi:}
ESENT
ESENT
::2 General
§16
G916
2‘:‘":
General
log an event each time it starts (D information |
(Dinformation /202018
AN 54238ANM
SBL ESENT
ESENT 916 General
G916Genenl
() information
(D) information SN0
W20 5416 AN
54126 AM Secur..
Secur.. 16384
16304 None
S
Success An event
An event that
that records
records anan audited
audited security
security access
access attempt that isis
attempt that Diotormation
(Dintormation || 92372018 54102 AM
9/23/2018 54102 AM Resta...
Resta... 10008 Neme
10005 None
Audit successful. For example, a user's successful attempt to log on to 1A Warning 9232018
V22018 SAL2AM
S0 AM Resta.., 12010 None
16010
the system
the system isis logged
logged asas aa Success
Success Audit
Audit event
event [ itchmaton | RGVAPIBSHNREAM'AM
(D nformation | 9232018 54102 Resta...
Wasits:—— 1000 None
10808 ona
(B
(D Intormation
information VA0
VA28 400 AM
54100 AM Resta...
Resta.., 10000 None

An event that records an audited security access
An event that records an audited m access attempt that
attempt that R
(D) Information NANEIRAAN.
$23/2018 54053 AM Secs
Secur.. bl e
16393 None v
v
< >
Failure Audit fails. For example, if a user tries to access a network drive and.= 2 = IR - 2
fails, the attempt is logged as a Failure Audit event
https//docs. micrasoft.com
hitps.//docs.microsoft.com

Copyright © by E All Rights Reserved. Reproduction Isis Strictly Prohibited

Event Types
Events are categorized into five types, based on their severity levels.
= Error: This type of event describes a significant problem such as loss of data or
functionality. For example, an error event is recorded when a service is unable to load at
startup.
= Warning: This type of event is of less importance but may describe a possible future
problem. For example, a warning event is recorded when there is low space on the disk.
Events are also classified as a warning event when an application can recover from an
event without any loss.
= Information: This type of event indicates the successful operation of an application,
driver, or service. For example, an information event is recorded when an application
driver loads successfully.
= Success audit: This type of event is recorded when any successfully audited security
access attempt is detected. For example, a success audit event is recorded when a user
successfully logs on to the system.
= Failure Audit: This type of event is recorded when any unsuccessful audited security
access attempt is detected. For example, a Failure Audit event is recorded when a user
fails in accessing a network drive.

Module 18 Page 2083 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

{d] Event Viewer
Viewer - O X
File Action View Help

|2/m
2@ @Emm
Event Viewer (Local) Application Number of events: 9,744 '
[§ Custom Views
> (4
vv [
r.'. Windows
Windows Logs
Logs Level Date and Time Source Event ID Task Category
Categon, ®
lfl
m Application @lnformation
@Information 9/23/2018 12:06:00 PM ESENT 916 General
[+] Security (i) Information
@Information 9/23/2018 12:00:14 PM Wind... 1001 None
[] Setup @@ Error 9/23/2018 12:00:12 PM Appli... 1000 (100)
[+]
[¢] System @Information
®Information 9/23/2018 11:28:11 A
9/23/201811:28:11 Secur... 15 None
[[]| Forwarded
Forwarded Events
Events ||| (D
() Information | 9/23/201811:28:11A
9/23/2018 11:2&:11 A Secur...
Secur... 15 None
>> [
[ Applications and Servi|
Applications and Servi (i)
@ Information
Information | 9/23/201811:27:48A
9/23/2018 11:27:48 A Secur...
Secur... 16384
16384 None
None
>> [f)
L) Saved Logs
Saved Logs ()
@ Information
Information | 9/23/201811:27:17
9/23/2018 11:2717 AA Secur...
Secur... 16394
16394 None
None
[}
[y Subscriptions
Subscriptions ()
@ Information
Information | 9/23/201811:05:00
9/23/2018 11:05:00 AA ESENT
ESENT 916
916 General
General
@ Information 9/23/2018 10:04:00 A ESENT 916 General
@ Information 9/23/2018 9:42:34 AM ESENT 916 General
@ Information 9/23/2018 9:03:00 AM ESENT 916 General
(i) Information
@ 9/23/2018 8:02:00 AM ESENT 916 General
(i) Information
@ 9/23/2018 7:01:00 AM ESENT 916 General
(D
@ Information 9/23/2018 6:00:00 AM ESENT 916 General
() Information 9/23/2018 5:42:34 AM ESENT 916 General
(i) Information
(D 9/23/2018 5:41:26 AM Secur... 16384 None
@
® Information 9/23/2018 5:41:02 AM Resta... 10005 None
A\ Warning
/A, 9/23/2018 5:41:02 AM Resta... 10010 None
@ Information
® 9/23/2018 5:41:02 AM Resta... 10000 None
(i) Information
@ Information | 9/23/2018 5:41:00
9/23/2018 5:41:00AM
AM Resta...
Resta... 10000
10000 None
None
(i) Information
(D 9/23/2018 5:40:53 AM Secur... 16394 None v
< > [IL€ >

Figure 18.5: Various Windows Event Types

Module 18 Page 2084 Certified
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Monitoring and Analysis of Windows Logs
Q Open Event Viewer, click the required log you want to view
Q In the details pane, click the event that you want to view.
- Wl Event Viewer - [s] x|
Description and header information is displayed in the fle Adien Vies Hep
Preview Pane e amdms
Q The information displayed in the Preview Pane about the || bto e - —
o o Levet Date and Tume Sewce [ Catageey *
event is as follows: "@ (Dinformanen SAUDIODW0AM (SINT 916 Geners. I.O‘ Name: The type of Windows 'og L] Setup Informeten SN I0ISBAM Securey-
9P 100) Neee v
= Source: Source is the cause that is responsible for the event fl i :_.w,“_"_,, ,n
raised by either an individual, or a system, or a program : =s..-n..‘ b
» B S —
= EventID: The type of event that occurred
;Mumwmmmumnlunmmm
= Level: Event level type is divided into five types: Error,
Warning, Information, Success Audit, and Failure Audit Log Meme Apptcstion
= User: User responsible and who logged on the computer at s i L
the instance of the event Lo infermstion Keymords Classic
= Logged: The timestamp of the event :,:... x
= Task Category: Primarily used in case of security log, which. —.
classifies an event based on the event source : 21
= Computer: The name assigned to the computer where the
‘ ' event occurred

Monitoring and Analysis of Windows Logs (Cont’d)
| Filtering/Finding Events in Event Viewer
The feature in Event Viewer allows the removal of clutter from the
event log display Ay time
Each log can be independently configured with different filter properties O Crtcal ] Waming [ Verbose
O tmoe [ infermation
Use and features in Event Viewer, under the pane
Bventloge [ipphcaton -
After applying the filter, the Event Viewer shows the log with matching
Event sources: [ =
properties
Includes/Excludes Event IDx: Enter ID numbers and/cr ID ranges separated by commas. To
exclude critena, type 3 minus sign first. For example 1,3,5-55,-78
M Event Viewer - (=] *
Fle Adka View Help [ ]
s am@m Task category: | =]
[ Evert Viewer (Lacel) Actions.
» g Custaen Views Appcrtion al~ Keyweoeds: | v
v [ Windows
Logs ey
[o] Agplicaen 2
] Securty ¥ Creste Cuntem V.- = [« Users> J
u:‘m Impert Custom Vie.. Computertsy [ ]
[ ] Formarded fvents Claw Loy r
£ Aoghcumans
and Semn B
> "‘:;‘mm 0 Properties

== L EE— = o |

Module 18 Page 2085 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Monitoring and Analysis of Windows Logs (Cont’d)

Examining Event Ve F
System Log
Log Entries Log Entries
Application Log
i J. Log Entries
O The system log contains events logged OQ The application log contains events
by Windows system components logged by applications or programs
O System log includes:. O Application log includes:
»
” Changes to the 0S.» Changes to the hardware configuration \~» Installation and removal of a particular
» Device driver installation software package
» Service pack update/installation
» Confirmation/refutation of virus
» Software and hardware installations
installations infection
infection
»» Starting and stopping of services
”~

> System shutdown/restart » Startup and shutdown of firewall

Y
»r Log-on failures
» Detection of hacking attempts

v
» Alteration of machine information
V¥

» Printing jobs
v

cll. All Rights Reserved. Reproduction is Strictly Prohibited

Monitoring and Analysis of Windows Logs (Cont’d)
QO The security log is the mother of all logs in forensic terms

O Log-ons, log-offs, attempted connections, and policy changes are all reflected
Security Log in the event contained therein
Entries
O Unfortunately, security logging is turned off by default

O It needs to be enabled by the group or local policy to be useful

To support later investigations, enabling local (or group) policy for audit policy is
recommended with some of the following actions at the minimum:

[ Q Audit account log-on events Success, Failure

\ Audit account management Success, Failure
2
@ Audit log-on events Success, Failure

Audit policy change Success, Failure

Audit privilege use Success, Failure

Copyright © by EC cll. All Rights Reserved. Reproduction is Strictly Prohibited

Monitoring and Analysis of Windows Logs
Windows event logs include critical information such as log-on failures, log tampering, failed
attempts to access files, etc. They also warn regarding upcoming system issues and protect the
system from unexpected disasters. In addition to this, these event logs may also describe an
attempt made by a user to compromise the system or an unsanctioned configuration change.
Thus, these event logs need to be monitored and analyzed to identify network vulnerabilities,
security breaches, and threat intruders. These event logs enable security professionals to

Module 18 Page 2086 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

protect the network against internal threats and vulnerabilities. The most common way to
monitor and analyze Windows event logs is to use the Windows Event Viewer.

Viewing Events in Event Viewer

= Open Windows Event Viewer by clicking the Start icon and then typing "Event Viewer" in
the search box.

B 0O i) Filters v/

Best match

Event Viewer
Desktop app

Search suggestions

L event viewer
- See web result

L event viewer

Figure 18.6: Screenshot of the Search Box

= Once Event Viewer opens, click on the required log file from the console tree. A list of
events can be seen in the details pane.

= In the details pane, clicking on any specific event will reveal its description and header
information in the Preview pane.

The information displayed in the Preview pane about the event is described below.
o Log name: The type of Windows log

o Source: Source is the cause that is responsible for the event raised by either an
individual or a system or a program

o Event ID: The type of event that occurred
o Level: Event level type is divided into five types: Error, Warning, Information,
Success Audit, and Failure Audit

o User: User responsible and who logged on the computer at the instance of the event

o Logged: The timestamp of the event

o Task category: Primarily used in case of a security log that classifies an event based
on the event source

o Computer: The name assigned to the computer where the event occurred

Module 18 Page 2087 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

Event Viewer - [m] X

File Action View Help

|2 m @
Event Viewer (Local) Application Number of events: 9,735 (I) New events available
> [ Custom Views
v [ Windows Logs Level Date and Time Source EventID Task Category #
o] Applkationl (@) Information 9/24/2018 10:27:00 AM ESENT 916 General
rmatior 10:26:34 AM ecurity-SPF 16384 None. Securrty L;
[] Setup (i) Information 9/24/2018 10:25:56 AM Security-SPP 1003 None v
[+] System < >
(5] Forwarded Events (e
> L Applications and Servi
e Security-SPP x
> [§) Saved Logs General Details
-
(7% Subscriptions
Successfully scheduled Software Protection service for re-start at 2118-08-31T04:56:34Z. Reas:
RulesEngine.

Log Name: Application
Source: Security-SPP Logged: 9/24/2018 10:26:34 AM
Event ID: 16384 Task Category: None
Level: Information Keywords: Classic
User: N/A Computer: DESKTOP-QH#w
OpCode: Info
More Information: Event
OnlineLog Help v
< >

Figure 18.7: Screenshot of Event Viewer

Filtering/Finding Events in Event Viewer

The Filter feature in Event Viewer helps in targeting the information that may be required for
investigation. To save time and effort, Event Viewer provides the option to save specific filters
for future use through the Create Custom View feature.
Filter feature can allow the removal of clutter from the event log display and limit the data
displayed in a single log. Each log can be independently configured with different filter
properties.

The following steps are used to create a filter:
Select the log that needs to be filtered.
After that, click on "Filter Current Log" option available under the Action pane.
The "Filter Current Log” dialog box will appear.

Specify a time period, if the approximate time when the events occurred is known.

The event levels can be specified from the available options (Critical, Warning, Verbose,
Error, and Information). If no option is specified, all event levels will be returned.
Specific event IDs can be mentioned in the defined format.
Specific event sources can be selected; similarly, specific keywords, users, or computers
can be searched.

Module 18 Page 2088 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

= Click OK to close the "Filter Current log" dialog box.
= After applying the filter, the Event Viewer will show the log with matching properties.

Event Viewer - [m] X
File Action View Help

| 2@ E
Event Viewer (Local) Application Number of events: 9,750
> [ Custom Views - =
o fii Windows Logs Level Date and Time ;

[+] Application (@ Information 9/24/2018 12:55: (> OpenSavedLeg...
[+] Security (@) Information 9/24/2018 12:42: W Create Custom Vie...
] Setup (i) Information 9/24/2018 12:29: Import Custom Vie
(] System (D Information 9/24/2018 12:18:
(] Forwarded Events || (i)Information 9/24/2018 12:00: Clear Log...
> |5 Applications and Servi| | (i) Information ~ 9/24/201812:00: | [ Filter Current Log...|
> [§) Saved '.-°?5 (i) Information 9/24/2018 11:42: [] Properties
fi Subscriptions (i) Information 9/24/2018 11:42: ¥ -
< > < > ‘im Find... I v

Figure 18.8: Screenshot of Event Viewer

Filter Current Log X

Filter XML

Logged: ‘ Any time e
Event level: [] Critical [[] Warning [] Verbose

[ Error ] Information

By log Event logs: ,.Appli(ation v

By source Event sources: I v

Includes/Excludes Event IDs: Enter ID numbers and/or ID ranges separated by commas, To
exclude criteria, type a minus sign first. For example 1,3,5-99,-76

l

Task category: | -

Keywords: | vl

User: l l

Computer(s): | ]

Clear

o
Figure 18.9: Screenshot of “Filter Current Log” Dialog Box

Module 18 Page 2089 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

To find an event, follow the steps below:

= (Click on "Find" option available under the Action pane
= Type the information that needs to be found and then click Find Next
= (Click Close, when search is complete

Find X

Find what: application| Find Next

Figure 18.10: Screenshot of Find dialog box

Examining Event Log Entries
Event Viewer displays three types of event log entries, as described below.

= System log entries
The system log contains events logged by Windows system components. It contains
information about system changes such as device driver installations, etc. To view
system log entries in Event Viewer:

o Open Event Viewer and then select System log from Windows logs section in the
console tree
o Alist of system events appears in the details pane
o Select the specific event whose details needs to be viewed
Examples of system log records:
o Changes to the OS
o Changes to the hardware configuration
o Device driver installation

o Service pack update/installation
o Software and hardware installations
o Start/stop of services
o System shutdown/restart
o Log-on failures
o Alteration of machine information
o Printing jobs

Module 18 Page 2090 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Logs Monitoring and Analysis

= Application log entries

The application log contains events logged by applications or programs. To view
application log entries in Event Viewer:

o Open Event Viewer and then select Application log from Windows logs section in the
console tree
o Alist of application events will appear in the details pane

o Select the specific event whose details need to be viewed
Examples of application log records:

o Installation and removal of a particular software package

o Confirmation/refutation of virus infection

o Startup and shutdown of firewall

o Detection of hacking attempts

= Security log entries
The security log is the mother of all logs in forensic terms. Unfortunately, security
logging is turned off by default. To view security log entries in Event Viewer,
o Open Event Viewer and then select Security log from Windows logs section in the
console tree

o Alist of security events appear in the details pane

o Select the specific event whose details need to be viewed

Examples of security log records:

o Log-ons
o Log-offs
o Attempted connections
o Policy changes

To support later investigations, enabling local (or group) policy for audit policy is recommended
with some of the following actions at the minimum:

Audit account log-on events Success, Failure

Audit account management Success, Failure

Audit log-on events Success, Failure

Audit policy change Success, Failure
Audit privilege use Success, Failure

Table 18.1: Actions to Enable Local (or Group) Policy for an Audit Policy

Module 18 Page 2091 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.