Windows
System
1074 | System Shutdown/Restart | unexpected shutdowns or restarts |
6005 | Event log service was started | can signify a system boot-up, providing a starting point for investigating |
6006 | Event log service was stopped | could point to intentional service disruption for covering illicit activities |
7040 | Service status change | If a crucial service's startup type is changed, it could be a sign of system tampering |
Security
1102 | Audit log was cleared | attempt to remove evidence of an intrusion or malicious activity |
1116 | Antivirus malware detection | indicate a targeted attack or widespread malware infection |
1118 | Antivirus remediation activity has started | ensure that remediation activities are successful |
1119 | Antivirus remediation activity has succeeded | ensure that remediation activities are successful |
1120 | Antivirus remediation activity has failed | ensure threats are effectively neutralized |
4624 | Successful Logon | logon attempts at odd hours or from different locations |
4625 | Failed Logon | multiple failed logon attempts could signify a brute-force attack |
4648 | A logon was attempted using explicit credentials | could indicate lateral movement within a network |
4656 | A handle to an object was requested | detecting attempts to access sensitive resources |
4672 | Special Privileges Assigned to a New Logon | ensure that super user privileges are not being abused or used maliciously |
4698 | Scheduled task was created | detect persistence mechanisms |
4700, 4701 | Scheduled task was enabled/disabled | persistence or to run malicious code |
4702 | Scheduled task was updated | persistence or to run malicious code |
4719 | Audit policy was changed | cover their tracks by turning off auditing or changing what events get audited |
4738 | User account was changed | sign of account takeover or insider threats |
4771 | Kerberos pre-authentication failed | indicate an attacker attempting to brute force your Kerberos service |
4776 | Domain controller attempted to validate the credentials for an account | could suggest a brute-force attack |
5001 | Antivirus real-time protection configuration has changed | disable or undermine the functionality of Defender |
5140 | Network share object was accessed | unauthorized access to network shares |
5142 | Network share object was added | used to exfiltrate data or spread malware across a network |
5145 | Network share object was checked to see whether client can be granted desired access | map out the network shares for future exploits |
5157 | Windows Filtering Platform has blocked a connection | identifying malicious traffic on your
network |
7045 | service was installed in the system | suggest malware installation, as many types of malware install themselves as services |
Sysmon
Download sysmon
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmonDownload config
https://github.com/SwiftOnSecurity/sysmon-configInstall sysmon
sysmon.exe -i -accepteula -h md5,sha256,imphash -l -nInstall config
sysmon.exe -c config.xmlDetection Examples
DLL Hijacking
Event code: 7 - module load events
@Wietze Hijacking DLLs in Windows
IOC Logic
- "calc.exe", originally located in System32, should not be found in a writable directory. Therefore, a copy of "calc.exe" in a writable directory serves as an IOC, as it should always reside in System32 or potentially Syswow64.
- "WININET.dll", originally located in System32, should not be loaded outside of System32 by calc.exe. If instances of "WININET.dll" loading occur outside of System32 with "calc.exe" as the parent process, it indicates a DLL hijack within calc.exe. While caution is necessary when alerting on all instances of "WININET.dll" loading outside of System32 (as some applications may package specific DLL versions for stability), in the case of "calc.exe", we can confidently assert a hijack due to the DLL's unchanging name, which attackers cannot modify to evade detection.
- The original "WININET.dll" is Microsoft-signed, while our injected DLL remains unsigned.
Detecting Credential Dumping
Event code: 10 - ProcessAccess against LSASS
- Check if SourceUser and TargetUser differ, especially if TargetUser: SYSTEM
- User must request SeDebugPrivileges for mimikatz to function
Parsing via Powershell
Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSizeLog source
Get-WinEvent -ListProvider * | Format-Table -AutoSizeGet logs by logname
Get-WinEvent -LogName 'System' -MaxEvents 50 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeWinRM events
Get-WinEvent -LogName 'Microsoft-Windows-WinRM/Operational' -MaxEvents 30 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeSort by time
Get-WinEvent -LogName 'Microsoft-Windows-WinRM/Operational' -Oldest -MaxEvents 30 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeParse from exported .evtx file
Get-WinEvent -Path 'C:\path\to\file\name.evtx' -MaxEvents 5 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeHashtable filtering (and event codes)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeFilter based on properties
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 1 | Select-Object -Property *