It’s possible to use Windows 10 event logs to detect intrusions and malicious activity, but some knowledge of critical IDs is mandatory to avoid over-collection and other issues. This article will highlight the most important event IDs that you should monitor. As a side note, you can use these event logs to generate indicators of compromise that you can regularly assess to improve computer forensics and incident response.
Here are the event IDs to track.
Windows security event log ID 4688
Event 4688 documents each program (or process) that a system executes, along with the process that started the program. What’s intriguing about this event ID is that it logs any process that is created by a user or even spawned from a hidden process. For example, if there’s malware present on your Windows system, searching event 4688 will reveal any processes executed by that ill-intentioned program. Malicious activity red flags include child processes having a different parent process ID than the original process and processes that are executing elsewhere instead of C:\Program Files or C:\windows\system32.
Additionally, you can get information about a user’s administrative privileges through the Token Elevation Type field. A Type 1 token refers to a “full token” with all privileges granted to that user account, such as when UAC (User Access Control) is disabled or when the user is in a service or built-in administrator account. Type 2 hints that an elevated token was issued through the “Run as administrator” option while the UAC was enabled. Type 3 is a limited token with no administrative groups or privileges. It’s issued when the user doesn’t launch a program using Run as administrative or when an application doesn’t require administrative privilege.
While event 4688 can tell you a lot, it should be used in conjunction with other event logs to get a full picture of an intrusion.
Windows security event log ID 4670
One of the best ways to identify unauthorized access (and ultimately data leakage) is by tracking File Server permission changes. That’s where event 4670 comes in handy — it triggers itself when a user modifies an object’s access control list. Hackers are known to change permissions when attempting to move laterally or inject ransomware into a system; monitoring who takes ownership of an intrusion is a critical step in tracing the source of an attack. Advanced users can also dive into SDDL to further understand what permissions were actually changed.
Besides intrusion detection, you can also use event 460 to get insights into user activity. It can help you get information on peak logon times, user attendance and more. Pro tip: Make sure to enable the audit policy of objects when viewing event 4670 in your Windows Event Viewer or SIEM.
Windows security event log ID 4672
This event informs you whenever an administrator equivalent account logs onto the system. You can track it to look for a potential Pass-the-Hash (PtH) attack. If the “Subject\Security ID” in the Event Viewer doesn’t contain “LocalSystem, NetworkService, LocalService”, it’s not an admin-equivalent account and requires careful analysis.
But event 4672 isn’t the only Windows security event log ID to indicate a pass-the-hash attack. Many other events, including 4648 (a logon was attempted with explicit credentials), 4624 (an account was successfully logged on) and 4776 (the computer attempted to validate the credentials for an account), can indicate that a system is being breached collectivity.
Windows security event log ID 1125 (Error)
Windows typically manages its configuration settings on servers and workstation using “Active Directory Group Policy.” Monitoring event 1125 helps you identify potential failures pertaining to policy application or unsanctioned changes to policy objects in Active Directory, rather than user error. If the policy cannot be applied, there’s a chance that the system has a security issue.
Besides AD policy, it’s also beneficial to keep tabs on firewall rules. Because Windows Firewall offers a critical line of defense, a malicious actor may attempt to modify its rules to gain access to your system. Use the firewall logging feature to check for dynamic and disabled port openings as well as analyze dropped packets on the send route.
In case you identify a malicious activity, open the log file in Notepad and use DROP to filter all entries in the action field, analyzing which destination IPs end with a number that’s not 255. If you detect many such IPs, take note of packets’ destination IP addresses for troubleshooting.
Windows Defender event 1006 and event 1007
Consider investing the notifications for identifying, preventing and removing malware in Windows Defender. Yes, even the built-in antivirus can be used to conduct malicious activity. Start by reviewing event ID 1006, which is triggered when the Defender detects unwanted software. Then review Event 1007 to see if the antivirus acted to protect your system from potential infiltration. All these events are present in a sublog.
You can use the Event Viewer to monitor these events. Open the Viewer, then expand Application and Service Logs in the console tree. Now click Microsoft → Windows → Windows Defender Antivirus”. The last step is to double-click Operational, after which you’re able to see events in the “Details” pane.
Windows event logs are an indispensable tool for detecting group errors and malicious activity. Keeping a watchful eye on them can alert you to intrusions before they grow in presence and scale. Given that the first step in responding to malware is often to track the infiltration source, event IDs are a valuable piece of information available to Windows 10 users. Listen to what they’re telling you and you’ll detect illicit software early in the attack life cycle.