Event log is an important part of cyber investigation we will look into best practice and some important logs that you should look for detection.
Hackers try to hide their presence for as long as possible. Event ID 104 Event Log was Cleared and event ID 1102 Audit Log was Cleared could indicate a problem. Event ID 4719 System audit policy was changed could also show malicious activity. Application crashes can also indicate the presence of a hacker.
Table 1 – Application Crashes
|
|
ID |
Level |
Event Log |
Event Source |
|
App Error |
1000 |
Error |
Application |
Application Error |
|
App Hang |
1002 |
Error |
Application |
Application Hang |
|
BSOD |
1001 |
Error |
System |
Microsoft-Windows-WER- SystemErrorReporting |
|
WER |
1001 |
Informational |
Application |
Windows Error Reporting |
|
EMET |
1 2 |
Warning Error |
Application Application |
EMET |
Hackers need access to your systems just like any
other user, so it’s worth looking for suspicious login activity. Table 2 shows
events that might show a problem. Pass-the-Hash (PtH) is a popular form of
attack that allows a hacker to gain access to an account without needing to
know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and
4625 (success).
Table 2 – Account Usage
|
|
ID |
Level |
Event Log |
Event Source |
|
Account Lockouts |
4740 |
Informational |
Security |
Microsoft-Windows-Security- Auditing |
|
User Added to Privileged Group |
4728, 4732, 4756 |
Informational |
Security |
Microsoft-Windows-Security- Auditing |
|
Security-Enabled group Modification |
4735 |
Informational |
Security |
Microsoft-Windows-Security- Auditing |
|
Successful User Account Login |
4624 |
Informational |
Security |
Microsoft-Windows-Security- Auditing |
|
Failed User Account Login |
4625 |
Informational |
Security |
Microsoft-Windows-Security- Auditing |
|
Account Login with Explicit Credentials |
4648 |
Informational |
Security |
Microsoft-Windows-Security- Auditing |
High-value assets, like domain controllers,
shouldn't be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon)
and 4634 (Logoff) might point towards malicious RDP activity.
Best Practices
- If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats.
- If these archives
are stored in multiple locations then it is much harder to analyze logs
from all locations manually.
- This practice
means to keep the logs segmented into different categories. For example,
keep the Application logs, Security logs, System logs, Network logs in
each different segmented archives so that it will be easier to parse
through particular logs for threat inspection.
3. Regular Log analysis for Potential Threats
- Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.
4. Archive Logs, Do not Overwrite
- In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user.
- For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.
5. Access to limited personnel & accesses should be logged
- The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.
6. Regularly upgrade or update log management infrastructure if there is any
- Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
- Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.
7. Use copies of logs for Forensic Investigation
- Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files.
- Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.
8. Store Multiple Backups
- Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
- Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
- Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)
0 comments:
Post a Comment