Tips While Investigating Security.evtx Log File.

## Tips While Investigating `Security.evtx` Log File. 1. Give a quick look at the range the time represented in this log file. 2. Filter with audit successfull consoles logon EID (4624) `logon type 2` with a regular expression to exclude `DWM|UMFD` which are (Windows Desktop Manager, Font Driver Host) because of their many logon type 2 events, to know the normal users of the system. ![image](https://hackmd.io/_uploads/rkyIxm4OC.png) 3. Always check the process recorded for EID 4624 with `logon type 3, 7, 10` to know if the account logged in the system through network or remotly through (Powershell, WMI,....). 4. When you suspect a user account loged in the system remotly, filter with it's name to know the `source ip` of the machine he loged from, and take notes of the time from first logon to last logoff. 5. To know if a specific account is assigned to `Administrative privileges`, filter with that account name with EID `4672`, if there are any events with that account, it means that it has permissions consistent with administrators group. 6. While in Active Directory Environment and want to know the domain accounts have authenticated to the system always filter with `unique domain identifier part in SID` ![image](https://hackmd.io/_uploads/r1DnwmNd0.png) And to know if they are assigned to administrative privilege as said above, filter with EID `4672`. ![image](https://hackmd.io/_uploads/rkbZO7EOC.png) ![image](https://hackmd.io/_uploads/B1rrdQ4_0.png) ### Tracking Lateral Movement : #### 1- RunAs Detection 7. Event ID ——> 4648 : records authentications using explicit (different) credentials. > - Unlike nearly all of the events we cover in this section, “runas” `4648` events are typically recorded on the originating system instead of the target. >- you may see attacker logon with different credentials on the originated system to access shared file on the target system like this. ![image](https://hackmd.io/_uploads/ryLUjZIOC.png) #### 2- Network Shares - To audit network shares, the “Object Access —>Audit File Share" option must be configured within the Advanced Audit Policy Configuration. - Also enable the“Object Access —> Audit Detailed File Share" option within the Advanced Audit Policy Configuration to see the references to files accessed on a given share. 1. Event ID ——> 5140 : Network share was accessed 2. Event ID ——> 5145 : Shared object accessed (Detailed File Share auditing) 3. Event IDs 5142-5144 track shares that hare been created, modified, or deleted #### 3- Scheduled Tasks - Scheduled tasks can be executed both locally and remotely. 1. Remotely scheduled tasks also cause Logon (ID 4624) Type 3 events. 2. Event ID ——> 4698 - Scheduled task created (Security Log) 3. Event ID ——> 4702 - Scheduled task updated (Security Log) 4. Event ID ——> 4699 - Scheduled task deleted (Security Log) 6. Event ID ——> 4700 / 4701 - Scheduled task enabled/disabled (Security Log) The `\Windows\Systesn32\Tasks` folder contains task registration files which contain some of the most pertinent information in these task files : 1. When the task was registered 2. What account and system registered the task** 3. Task trigger conditions and frequency (Once, daily, etc.) 4. Full command path 5. The account to be used to execute the scheduled command > 💡 we can identify the remote system name and account used to register the task (no system name will show for locally scheduled tasks) > ![image](https://hackmd.io/_uploads/BkUTTWLd0.png) Finally, You can depend on this Mind Map and read this [blog](https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/) as a summary for most event's we listed in this blog. ![image](https://hackmd.io/_uploads/S10GCbLuC.png)