Chapter 18 - 02 - Discuss Log Monitoring and Analysis on Windows Systems PDF

Summary

This chapter discusses log monitoring and analysis on Windows systems, including different types of events (Error, Warning, Information, Success Audit, Failure Audit), and how to use tools like Event Viewer to examine and filter these logs. Information about the usefulness of logs in forensic scenarios is also included.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis...

Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Event Types W]Bl Event Viewer Event Type File Action View File View Help Milp | m m An event indicates a significant problem such as loss of data or «=|am e am @ m @ 1 W 1) Applic. % Error loss of functionality. For example, if aa service fails to load during ulb &,;':Lf,,,,'lfif Corntiom : startup, an Error event is |ossed «v [(& Windows Logs Level Date and Time Dete Source Event 1D Evert Task Categon, Tosk Categony * [+] Applcation [+ (1) Information (D) nformation 9222018 12060 PM ESENT 22018120600 916 General An event that is not necessarily significant but may indicate a o] Secunty r‘o;.nno.m.hon | /202018 (Dinformation 120014PMPM Wind.. $/23/2018 1200:14 Wind.. 1001 None e future probil [[ ]] Sevp Seavp W fnor o V012120002 P 97232018 120012 PV Apph., Apph.. 1000 1000 (100) (100} ”,u* - fl‘“lf. re Pr '.m' For For examp'e’ exampie‘ when disk diSk Space is |5 IO“I' |OVV, a Iv] System [+] | D(1) information information WNR0ENMNWBN W0 NN A Secur, Secur.. 15 None Warning Warning event is logged. If an application can recover from an [(] ] Formarded Forwarded bvents tvents |§ (D(D information information || - 923201 9232018 12011 11281144 Secur. Secur, 15 None event without loss of functionality or data, it can generally classify ' ;: :W';:'*’"‘ :W':\"*‘"' and Sara Sera | § (Dinformation (D intormation | 9202018 9232018 112748 1N204A A Secur.. Secur.. 16084 16384 None )> ) Sevedlogs deved Loy (1D) Information 232018 W20 N2TNT N2TT A Secur... Secur,.. 16394 16394 None the event as a Warning event 1.5. Subscriptions (Dinformation (Dintormation | 9232002 9232018 1105004 11050 A ESENT 516 916 General An event successfu operation D iatomaton | 2220021004004 FSENT 96 General that describes successful operation of an application, f:;:":m‘:'o" ::,g:: ;im;::‘ :::: ::: g'm: An event that describes A ofan app"catlon' (DU information information A9 /2372 3 AM ESENT §16 General enersl driver, driver, or service. For or service. For example, example, when when aa network network driver driver loads loads D intormation || 9232018 (Dinformation 523201290300 90000 AMAM ESENT ESENT 916 516 Genens General Information successfully, successfully, it may be appropriate to log an Information event. (Dintormation | - 9/21/2012 (Dinformation 92372018 80200 80200 AM ESENT 916 Genenl Note that it is generally inappropriate for a desktop application to l’:)ogt:nt';:lte::tl:g::::::levl:n:t:rpfiopflate fol' a deSktop appltafion to j:;::::::m (D informaton (D intormation :’:,’g::bf“)zffi S/232018 TOL00AM 2018 60000 AN :fi:} ESENT ESENT ::2 General §16 G916 2‘:‘": General log an event each time it starts (D information | (Dinformation /202018 AN 54238ANM SBL ESENT ESENT 916 General G916Genenl () information (D) information SN0 W20 5416 AN 54126 AM Secur.. Secur.. 16384 16304 None S Success An event An event that that records records anan audited audited security security access access attempt that isis attempt that Diotormation (Dintormation || 92372018 54102 AM 9/23/2018 54102 AM Resta... Resta... 10008 Neme 10005 None Audit successful. For example, a user's successful attempt to log on to 1A Warning 9232018 V22018 SAL2AM S0 AM Resta.., 12010 None 16010 the system the system isis logged logged asas aa Success Success Audit Audit event event [ itchmaton | RGVAPIBSHNREAM'AM (D nformation | 9232018 54102 Resta... Wasits:—— 1000 None 10808 ona (B (D Intormation information VA0 VA28 400 AM 54100 AM Resta... Resta.., 10000 None An event that records an audited security access An event that records an audited m access attempt that attempt that R (D) Information NANEIRAAN. $23/2018 54053 AM Secs Secur.. bl e 16393 None v v < > Failure Audit fails. For example, if a user tries to access a network drive and.= 2 = IR - 2 fails, the attempt is logged as a Failure Audit event https//docs. micrasoft.com hitps.//docs.microsoft.com Copyright © by E All Rights Reserved. Reproduction Isis Strictly Prohibited Event Types Events are categorized into five types, based on their severity levels. = Error: This type of event describes a significant problem such as loss of data or functionality. For example, an error event is recorded when a service is unable to load at startup. = Warning: This type of event is of less importance but may describe a possible future problem. For example, a warning event is recorded when there is low space on the disk. Events are also classified as a warning event when an application can recover from an event without any loss. = Information: This type of event indicates the successful operation of an application, driver, or service. For example, an information event is recorded when an application driver loads successfully. = Success audit: This type of event is recorded when any successfully audited security access attempt is detected. For example, a success audit event is recorded when a user successfully logs on to the system. = Failure Audit: This type of event is recorded when any unsuccessful audited security access attempt is detected. For example, a Failure Audit event is recorded when a user fails in accessing a network drive. Module 18 Page 2083 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis {d] Event Viewer Viewer - O X File Action View Help |2/m 2@ @Emm Event Viewer (Local) Application Number of events: 9,744 ' [§ Custom Views > (4 vv [ r.'. Windows Windows Logs Logs Level Date and Time Source Event ID Task Category Categon, ® lfl m Application @lnformation @Information 9/23/2018 12:06:00 PM ESENT 916 General [+] Security (i) Information @Information 9/23/2018 12:00:14 PM Wind... 1001 None [] Setup @@ Error 9/23/2018 12:00:12 PM Appli... 1000 (100) [+] [¢] System @Information ®Information 9/23/2018 11:28:11 A 9/23/201811:28:11 Secur... 15 None [[]| Forwarded Forwarded Events Events ||| (D () Information | 9/23/201811:28:11A 9/23/2018 11:2&:11 A Secur... Secur... 15 None >> [ [ Applications and Servi| Applications and Servi (i) @ Information Information | 9/23/201811:27:48A 9/23/2018 11:27:48 A Secur... Secur... 16384 16384 None None >> [f) L) Saved Logs Saved Logs () @ Information Information | 9/23/201811:27:17 9/23/2018 11:2717 AA Secur... Secur... 16394 16394 None None [} [y Subscriptions Subscriptions () @ Information Information | 9/23/201811:05:00 9/23/2018 11:05:00 AA ESENT ESENT 916 916 General General @ Information 9/23/2018 10:04:00 A ESENT 916 General @ Information 9/23/2018 9:42:34 AM ESENT 916 General @ Information 9/23/2018 9:03:00 AM ESENT 916 General (i) Information @ 9/23/2018 8:02:00 AM ESENT 916 General (i) Information @ 9/23/2018 7:01:00 AM ESENT 916 General (D @ Information 9/23/2018 6:00:00 AM ESENT 916 General () Information 9/23/2018 5:42:34 AM ESENT 916 General (i) Information (D 9/23/2018 5:41:26 AM Secur... 16384 None @ ® Information 9/23/2018 5:41:02 AM Resta... 10005 None A\ Warning /A, 9/23/2018 5:41:02 AM Resta... 10010 None @ Information ® 9/23/2018 5:41:02 AM Resta... 10000 None (i) Information @ Information | 9/23/2018 5:41:00 9/23/2018 5:41:00AM AM Resta... Resta... 10000 10000 None None (i) Information (D 9/23/2018 5:40:53 AM Secur... 16394 None v < > [IL€ > Figure 18.5: Various Windows Event Types Module 18 Page 2084 Certified Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Monitoring and Analysis of Windows Logs Q Open Event Viewer, click the required log you want to view Q In the details pane, click the event that you want to view. - Wl Event Viewer - [s] x| Description and header information is displayed in the fle Adien Vies Hep Preview Pane e amdms Q The information displayed in the Preview Pane about the || bto e - — o o Levet Date and Tume Sewce [ Catageey * event is as follows: "@ (Dinformanen SAUDIODW0AM (SINT 916 Geners. I.O‘ Name: The type of Windows 'og L] Setup Informeten SN I0ISBAM Securey- 9P 100) Neee v = Source: Source is the cause that is responsible for the event fl i :_.w,“_"_,, ,n raised by either an individual, or a system, or a program : =s..-n..‘ b » B S — = EventID: The type of event that occurred ;Mumwmmmumnlunmmm = Level: Event level type is divided into five types: Error, Warning, Information, Success Audit, and Failure Audit Log Meme Apptcstion = User: User responsible and who logged on the computer at s i L the instance of the event Lo infermstion Keymords Classic = Logged: The timestamp of the event :,:... x = Task Category: Primarily used in case of security log, which. —. classifies an event based on the event source : 21 = Computer: The name assigned to the computer where the ‘ ' event occurred Monitoring and Analysis of Windows Logs (Cont’d) | Filtering/Finding Events in Event Viewer The feature in Event Viewer allows the removal of clutter from the event log display Ay time Each log can be independently configured with different filter properties O Crtcal ] Waming [ Verbose O tmoe [ infermation Use and features in Event Viewer, under the pane Bventloge [ipphcaton - After applying the filter, the Event Viewer shows the log with matching Event sources: [ = properties Includes/Excludes Event IDx: Enter ID numbers and/cr ID ranges separated by commas. To exclude critena, type 3 minus sign first. For example 1,3,5-55,-78 M Event Viewer - (=] * Fle Adka View Help [ ] s am@m Task category: | =] [ Evert Viewer (Lacel) Actions. » g Custaen Views Appcrtion al~ Keyweoeds: | v v [ Windows Logs ey [o] Agplicaen 2 ] Securty ¥ Creste Cuntem V.- = [« Users> J u:‘m Impert Custom Vie.. Computertsy [ ] [ ] Formarded fvents Claw Loy r £ Aoghcumans and Semn B > "‘:;‘mm 0 Properties == L EE— = o | Module 18 Page 2085 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Monitoring and Analysis of Windows Logs (Cont’d) Examining Event Ve F System Log Log Entries Log Entries Application Log i J. Log Entries O The system log contains events logged OQ The application log contains events by Windows system components logged by applications or programs O System log includes:. O Application log includes: » ” Changes to the 0S.» Changes to the hardware configuration \~» Installation and removal of a particular » Device driver installation software package » Service pack update/installation » Confirmation/refutation of virus » Software and hardware installations installations infection infection »» Starting and stopping of services ”~ > System shutdown/restart » Startup and shutdown of firewall Y »r Log-on failures » Detection of hacking attempts v » Alteration of machine information V¥ » Printing jobs v cll. All Rights Reserved. Reproduction is Strictly Prohibited Monitoring and Analysis of Windows Logs (Cont’d) QO The security log is the mother of all logs in forensic terms O Log-ons, log-offs, attempted connections, and policy changes are all reflected Security Log in the event contained therein Entries O Unfortunately, security logging is turned off by default O It needs to be enabled by the group or local policy to be useful To support later investigations, enabling local (or group) policy for audit policy is recommended with some of the following actions at the minimum: [ Q Audit account log-on events Success, Failure \ Audit account management Success, Failure 2 @ Audit log-on events Success, Failure Audit policy change Success, Failure Audit privilege use Success, Failure Copyright © by EC cll. All Rights Reserved. Reproduction is Strictly Prohibited Monitoring and Analysis of Windows Logs Windows event logs include critical information such as log-on failures, log tampering, failed attempts to access files, etc. They also warn regarding upcoming system issues and protect the system from unexpected disasters. In addition to this, these event logs may also describe an attempt made by a user to compromise the system or an unsanctioned configuration change. Thus, these event logs need to be monitored and analyzed to identify network vulnerabilities, security breaches, and threat intruders. These event logs enable security professionals to Module 18 Page 2086 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis protect the network against internal threats and vulnerabilities. The most common way to monitor and analyze Windows event logs is to use the Windows Event Viewer. Viewing Events in Event Viewer = Open Windows Event Viewer by clicking the Start icon and then typing "Event Viewer" in the search box. B 0O i) Filters v/ Best match Event Viewer Desktop app Search suggestions L event viewer - See web result L event viewer Figure 18.6: Screenshot of the Search Box = Once Event Viewer opens, click on the required log file from the console tree. A list of events can be seen in the details pane. = In the details pane, clicking on any specific event will reveal its description and header information in the Preview pane. The information displayed in the Preview pane about the event is described below. o Log name: The type of Windows log o Source: Source is the cause that is responsible for the event raised by either an individual or a system or a program o Event ID: The type of event that occurred o Level: Event level type is divided into five types: Error, Warning, Information, Success Audit, and Failure Audit o User: User responsible and who logged on the computer at the instance of the event o Logged: The timestamp of the event o Task category: Primarily used in case of a security log that classifies an event based on the event source o Computer: The name assigned to the computer where the event occurred Module 18 Page 2087 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Event Viewer - [m] X File Action View Help |2 m @ Event Viewer (Local) Application Number of events: 9,735 (I) New events available > [ Custom Views v [ Windows Logs Level Date and Time Source EventID Task Category # o] Applkationl (@) Information 9/24/2018 10:27:00 AM ESENT 916 General rmatior 10:26:34 AM ecurity-SPF 16384 None. Securrty L; [] Setup (i) Information 9/24/2018 10:25:56 AM Security-SPP 1003 None v [+] System < > (5] Forwarded Events (e > L Applications and Servi e Security-SPP x > [§) Saved Logs General Details - (7% Subscriptions Successfully scheduled Software Protection service for re-start at 2118-08-31T04:56:34Z. Reas: RulesEngine. Log Name: Application Source: Security-SPP Logged: 9/24/2018 10:26:34 AM Event ID: 16384 Task Category: None Level: Information Keywords: Classic User: N/A Computer: DESKTOP-QH#w OpCode: Info More Information: Event OnlineLog Help v < > Figure 18.7: Screenshot of Event Viewer Filtering/Finding Events in Event Viewer The Filter feature in Event Viewer helps in targeting the information that may be required for investigation. To save time and effort, Event Viewer provides the option to save specific filters for future use through the Create Custom View feature. Filter feature can allow the removal of clutter from the event log display and limit the data displayed in a single log. Each log can be independently configured with different filter properties. The following steps are used to create a filter: Select the log that needs to be filtered. After that, click on "Filter Current Log" option available under the Action pane. The "Filter Current Log” dialog box will appear. Specify a time period, if the approximate time when the events occurred is known. The event levels can be specified from the available options (Critical, Warning, Verbose, Error, and Information). If no option is specified, all event levels will be returned. Specific event IDs can be mentioned in the defined format. Specific event sources can be selected; similarly, specific keywords, users, or computers can be searched. Module 18 Page 2088 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis = Click OK to close the "Filter Current log" dialog box. = After applying the filter, the Event Viewer will show the log with matching properties. Event Viewer - [m] X File Action View Help | 2@ E Event Viewer (Local) Application Number of events: 9,750 > [ Custom Views - = o fii Windows Logs Level Date and Time ; [+] Application (@ Information 9/24/2018 12:55: (> OpenSavedLeg... [+] Security (@) Information 9/24/2018 12:42: W Create Custom Vie... ] Setup (i) Information 9/24/2018 12:29: Import Custom Vie (] System (D Information 9/24/2018 12:18: (] Forwarded Events || (i)Information 9/24/2018 12:00: Clear Log... > |5 Applications and Servi| | (i) Information ~ 9/24/201812:00: | [ Filter Current Log...| > [§) Saved '.-°?5 (i) Information 9/24/2018 11:42: [] Properties fi Subscriptions (i) Information 9/24/2018 11:42: ¥ - < > < > ‘im Find... I v Figure 18.8: Screenshot of Event Viewer Filter Current Log X Filter XML Logged: ‘ Any time e Event level: [] Critical [[] Warning [] Verbose [ Error ] Information By log Event logs: ,.Appli(ation v By source Event sources: I v Includes/Excludes Event IDs: Enter ID numbers and/or ID ranges separated by commas, To exclude criteria, type a minus sign first. For example 1,3,5-99,-76 l Task category: | - Keywords: | vl User: l l Computer(s): | ] Clear o Figure 18.9: Screenshot of “Filter Current Log” Dialog Box Module 18 Page 2089 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis To find an event, follow the steps below: = (Click on "Find" option available under the Action pane = Type the information that needs to be found and then click Find Next = (Click Close, when search is complete Find X Find what: application| Find Next Figure 18.10: Screenshot of Find dialog box Examining Event Log Entries Event Viewer displays three types of event log entries, as described below. = System log entries The system log contains events logged by Windows system components. It contains information about system changes such as device driver installations, etc. To view system log entries in Event Viewer: o Open Event Viewer and then select System log from Windows logs section in the console tree o Alist of system events appears in the details pane o Select the specific event whose details needs to be viewed Examples of system log records: o Changes to the OS o Changes to the hardware configuration o Device driver installation o Service pack update/installation o Software and hardware installations o Start/stop of services o System shutdown/restart o Log-on failures o Alteration of machine information o Printing jobs Module 18 Page 2090 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis = Application log entries The application log contains events logged by applications or programs. To view application log entries in Event Viewer: o Open Event Viewer and then select Application log from Windows logs section in the console tree o Alist of application events will appear in the details pane o Select the specific event whose details need to be viewed Examples of application log records: o Installation and removal of a particular software package o Confirmation/refutation of virus infection o Startup and shutdown of firewall o Detection of hacking attempts = Security log entries The security log is the mother of all logs in forensic terms. Unfortunately, security logging is turned off by default. To view security log entries in Event Viewer, o Open Event Viewer and then select Security log from Windows logs section in the console tree o Alist of security events appear in the details pane o Select the specific event whose details need to be viewed Examples of security log records: o Log-ons o Log-offs o Attempted connections o Policy changes To support later investigations, enabling local (or group) policy for audit policy is recommended with some of the following actions at the minimum: Audit account log-on events Success, Failure Audit account management Success, Failure Audit log-on events Success, Failure Audit policy change Success, Failure Audit privilege use Success, Failure Table 18.1: Actions to Enable Local (or Group) Policy for an Audit Policy Module 18 Page 2091 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser