Relevance of Windows EventIDs in investigation
In this article, we will take a look at important Windows Event IDs, what we normally see in logs and how different EventID can be used to construct the lateral movement of malware.
So first of all, let us know important windows events IDs can be useful during an investigation. Below SecurityIDs are aligned with Windows 7/2008 etc.
Learn Digital Forensics
Windows important EventIDs
Below table shows important Windows EventIDs
As you might be confused by now that how 4624, 4625 is different from 4776 since they both indicates successful or failed login. Actually, EventID 4624, 4625 are generated when credentials are stored in local machine/ when the system cannot reach Domain Controller. When the machine is connected to Domain, it is the duty of Domain Controller to authenticate the user using Kerberos. Thus in this EventID like 4771, 4768, 4776 will be generated.
So as some of you might have already realized how relating different EventIDs can be useful. For example, relating 4624 with 4634/4647 gives us a complete session. Too many EventID 4625 can give us an indication of a brute force/password guess attack. If you have already through this, then you are on right track, however there so much to it that we will be discussing in this article.
Windows gives the option to login to a machine locally, network login, batch login, etc. and they all have a different type of Login Type Code which will help us to build more contexts during the investigation.
Windows login type
As we have seen in Windows, we have multiple session types which help to build context. Login Type 2 states when someone locally login to a machine where type 3 states that it is a network login. Other important ones are when credentials are used to unlock screen (type 7) and when cached credentials are used to login (type 11). It is used when the machine is not able to contact DC so Windows stores hash of last ten successful authentications in it (Pass the hash attack. Anyone?) which are helpful to login to the system. Another important one which will also see later is Login Type 10 which is for Remote Desktop Protocol.
Below are some screenshots which will be helpful to see how these all EventID and login Type work together.
- This screenshot shows an account failed to login (EventId 4625), and LoginType is 7 which means unlocking the screen is not successful.
- Below screenshot shows an account failed to login (EventId 4624), and LoginType is 7 which means unlocking the screen is successful.
- This screenshot shows an account failed to login (EventId 4624), and LoginType is 11 which means that cached credentials are used to login since my machine cannot contact my company's DC.
Also, we have important EventID for schedule tasks which are very successful in identifying when the malicious file has been executed, deleted, etc. on the target system.
Building context
Now since we know what all these LOGIN types mean, let examine a series of event for malware which once gets downloaded onto the system, infects it and then spreads across the network. Following are the sequence of events that ca be useful to track the lateral movement of such malware.
- First malware will try to login to another system on network which means that we can get Event ID 4624 with Login Type 3.also Notice the timestamp for that Event ID
- Around that same timestamp, look for EventID 4672, i.e., elevating to admin login.
- After login, what the infected will do is to copy the file onto the target system which means look out for that EventID, which has a context of network share mapping. EventID 5140. Remember? IN the EventID code 5140 you can see the share which is mounted and the IP address which is requesting this. Useful information, isn't it?
- Now at this point, the malicious executable has been transferred to the Target system.
- Now at this point on the target system, schedule tasks(usually) can give a hint as to when the task is scheduled, executed, completed and deleted. Yes, after the work is done owners of malicious file usually remove all the traces. Remember that in EventID 200, we can see the malicious filename under the attribute 'Action Name.'
- At this point since the target system is infected, the user can use this to infect other systems in which case the above points holds true for this system otherwise you will see a Logoff Event ID, i.e., 4634.
Now that we have seen the scenario with a network login type 3 let's discuss how we can relate the EventIDs around an RDP session. Once the user is authenticated all other steps can be similar to what we have seen above, so in this we can see how to get from EventID that a remote system is infected with an RDP session.
- The presence of EventID 4778 indicates the presence of an RDP session initiation. Note that this is just initiation; the user has not been authenticated yet. This EventId can show us IP address and hostname from where the request for an RDP has been initiated from
- After EventID 4778, look out for EventID 4624 which will mean that the authentication has been accepted. This EventId 4624 will be of what login type? Any Guesses. Yes, you got it right, it will Login Type 10.
- Once the system is authenticated, all the steps mentioned in the previous section like network share mapping, scheduled tasks can be seen to build the security context.
- For log off, we will see a similar 4634/4647 events followed by RDP session termination event 4779.
Important point: Do not be sure if you see 4778, 4779 alone that it will be an RDP as Windows uses that for Fast User Switching feature also. Drawing the context relating 4778, 4624,…, 4634, 4779 is important to make sure that it is, in fact, an RDP session. Also looking at the details of 4778, 4779 will also help.
Learn Digital Forensics
Conclusion
As we have seen these are just two types in which we can build the complete lateral movement of a malicious malware being transferred across the domain. There can be multiple use cases, but these are some common ones. So in this article, we have seen how EventID can be useful in building context around an investigation.
Learn Digital Forensics
Build your digital forensics skills with hands-on training in Infosec Skills. What you'll learn- Forensics concepts
- Computer forensics
- Mobile forensics
- Network forensics
- And more
In this Series
- Relevance of Windows EventIDs in investigation
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics