7 THINGS YOU HAVE TO MONITOR IN YOUR WINDOWS SECURITY EVENT LOGS
Microsoft Windows is the most popular OS in the world, and thus is regularly targeted by threat actors. Lets discuss the most important things you need to detect, using Windows Security Event Logs and SIEM.
Before we go further, it is worth noting a few things. I advise reading my article on detecting malicious Active Directory before this – in most cases they tie together.
Also, the below detection’s are only using Windows Security Event Logs, I am not using sysmon, powershell monitoring or anything else. This is due to the fact many people don’t have these logs available to them. For each of these rules, please apply Log Type = Windows Security Event Log.
1. AUDIT POLICY BEING CHANGED
This event will trigger any time a system level policy is changed. This can be via either Local Security Policy, Group Policy in AD or the audipol command.
The rule logic is simply this :
- Event ID 4719
- Exclusions if there is any legitimate audit changes which occur regurarly
Once this triggers, you will want to look into the category, subcategory and changes being made. You can see every possibility here – https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4719
Any audit policy being changed should be validated. An attacker for example may disable auditing to hide their activity and make it more difficult to re mediate issues. They may also just lower the auditing level to hide certain actions they take.
2. SERVICES BEING INSTALLED, STOPPED AND DISABLED
Another thing we want to be alerted on is any time a service is installed, stopped or disabled on a system. You may want to break these into 3 seperate rules, however the logic will stay the same.
First off Service Installed. For this, you want to look for at the service being installed and what type of start type it has been given. Create a whitelist for the legitimate service installs that happen on your environment (E.g. windows updates, antivirus) and alert on everything else.
- EventID 7036 Service Stopped
- EventID 7040 Service Changed (Look for service type = disabled)
For services being disabled and stopped you may also encounter some legitimate things on your network which disable or stop and then restart services. Whitelist these and then look for anything else happening.
Adversaries commonly install services once they are into an environment. They also commonly disable services which may aid in auditing or security. This makes monitoring services very worthwhile and important.
3. AUDIT LOG BEING CLEARED OR FULL
Ensuring auditing is working properly on your servers and workstations is vital. Audit logs are important for ensure policies are being adhered to, along with security monitoring and forensics.
To do this, it is important to monitor :
If either of these trigger, it is important to investigate why quickly. Audit logs should not be cleared on a regular basis even by admins. Security logs being full should not happen either if the system is set up with the correct resources.
If this does happen, it could indicate a malicious actor covering their tracks.
4. LOCAL ACCOUNTS BEING CREATED
Attackers create local accounts to avoid normal security monitoring and to move laterally. Local accounts are created directly on systems and do not relate to active directory. To detect the start of this, we can look for local accounts being created.
- Event ID is 4720
- Event was not logged by Domain Controller (Can either do this by saying log source is not DC’s or log source type is not DC)
This will then show any accounts being created locally. Validate each of these to detect attackers trying to gain footholds in your network.
You may also want to look at a local account being created and then added to a local admin group, as this is a common behaviour of threat actors to escalate privileges. Take this rule and then look at EventID 4732 as I discussed in my previous article. You can make a rule which looks at the account being created and then a user being added to a local admin group with the same username.
5. TIME CHANGED
Event ID 4616 monitors system time changes within windows environments. It is important to monitor this event as unauthorized applications or users may modify the time to evade detection or other purposes.
Simply monitor for instances of 4616 and investigate. You will have to whitelist some processes that do this as part of daily activity such as svchost.exe. Once this is done, investigate any other instances. Small time changes may happen due to system errors however anything larger should be a worry. Within EventID 4616 you can see the original time and the new time.
6. ABNORMAL SERVICES
This next method can either be used as a rule or as part of your threat hunting platform, as it can be prone to false positives.
- Event ID 7045 (New service installed)
- Within 7 days, count of service name is under 5
The idea of this is to look for services that only appear a handful of times on your network. Most services will appear a large number of times on your network however malicious services may only appear a small number of times. You may need to add legitimate services to a whitelist.
7. ABNORMAL SCHEDULED TASKS
This is similar to above but does require advanced auditing. Get your admins to modify the GPO setting Object Access Audit Other Object Access Events. Keep sure this is turned on.
Once that it is done, we are following the exact same idea as point 6, with a different event ID.
- Event ID 4698 (Scheduled task created)
- Within 7 days, count of scheduled task name is under 5