Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
ETW - Active Directory Domain Services (Domain Controllers) ntds.dit dumping | Page | Secrets stored in the Active Directory database (ntds.dit) can be retrieved a number of ways: - By leveraging the DRSUAPI replication functions, normally used by Domain Controllers to replicate objects (replicated) properties. This attack can be conducted over the network (with out executing code on a Domain Controller) and is known as "DCSync". - By executing code / commands on a Domain Controller and exfiltrating the ntds.dit database directly. While the ntds.dit database can be accessed and copied using various tools and techniques, the "ntdsutil" built-in administration utility is often leverage by threat actors to do so. |
DCSync (DRSUAPI): Channel: Security. Event: 4662 (Property "1131f6aa-9c07-11d1-f79f-00c04fc2dcd" or "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"). NTDS export using ntdsutil: Channel: ESENT (Application.evtx). Events: 206, 325, 326, 327 |
ETW - Authentication - Active Directory Domain Services (Domain Controllers) | Page | For authentication attempts from a source host to an Active Directory domain-joined destination host (which is not a Domain Controller). Main events: Event ID 4624: "An account was successfully logged on", with LogonType 3 (only for a remote interactive logon on a domain-joined destination host). Event ID 4776 "The domain controller attempted to validate the credentials for an account", for NTLM authentication. Event 4768: "A Kerberos authentication ticket (TGT) was requested" and 4769: "A Kerberos service ticket was requested", for Kerberos tickets request and usage. Event 4771: "Kerberos pre-authentication failed", for authentication failures over Kerberos. |
Channel: Security. Events: 4776, 4768, 4769, 4771, 4624, 4625. |
ETW - Authentication - Destination host | Page | Destination host of a local or remote access. Main events: Event ID 4624: "An account was successfully logged on". Event ID 4625: "An account failed to log on". Event ID 4672: "Special privileges assigned to new logon". |
Channel: Security. Events: 4624, 4625, 4672, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378. |
ETW - Authentication - Source host | Page | Source host of a remote access. Main events: Event ID 4648: "A logon was attempted using explicit credentials". Event ID 4624: "An account was successfully logged on", with LogonType 9. |
Channel: Security. Events: 4648, 4624 (LogonType 9). |
ETW - Devices and USB activity | Page | For devices and USB activity. Various events are generated for devices and USB activity, split across a number of channels. More events and information is available on recent versions of the Windows operating system. Using known variables about a given device, found for example in the Windows registry, events can be used to determine timestamps of activity for the device, such as when the device was first plugged, last plugged and unplugged. Additionally, supplementary information about devices can be retrieved from events, such as device storage sizes and an extract of their partition table. |
Channels: Microsoft-Windows-Storage-ClassPnP/Operational. Events: 507, 500, 502, 503, 504, 505, 506, 510. Microsoft-Windows-Kernel-PnP/Device Configuration. Events: 400, 401, 410, 411, 420, 430. Microsoft-Windows-Kernel-PnP/Device Management. Event: 1010. Microsoft-Windows-Partition/Diagnostic. Event: 1006. Microsoft-Windows-Ntfs/Operational. Events: 142, 4, 9, 10, 300, 303. |
ETW - Integrity | Page | The Windows event logs can be tampered in a number of ways, potentially impacting their integrity. Two categories of Windows event logs tampering can be distinguished: -Tampering with the Event Log service, to avoid the generation of new events. -Tampering with the existing Windows events, to delete trace of past activities. The log file / channel can be deleted altogether or events can be deleted or tampered with individually. Main events: Channel: Security. Event ID 1102: "The audit log was cleared". Channel: System. Event ID 104: "The <CHANNEL> log file was cleared". Event ID 7040: "The start type of the Windows Event Log service was changed from auto start to disabled". |
Channel: Security. Event: 1100, 1102. Channel: System. Events: 104, 7001, 7040. |
ETW - Network shares activity and access | Page | For access and operations on network shares configured on the local system, and access to files and folders hosted on network shares. By default no events are generated, as network share auditing requires "Audit File Share" (share access and lifecycle) and / or "Audit Detailed File Share" (hosted files and folders access) to be enabled. Enabling network share auditing may however generate an overwhelming amount of events. Main events: Channel: Security. Event ID 5140: "A network share object was accessed". Event ID 5145: "A network share object was checked to see whether client can be granted desired access". |
Channel: Security. Events: 5140, 5142, 5143, 5144, 5145. |
ETW - Overview | Page | Event Tracing is broken into three distinct components: controllers, providers, and consumers. Controllers start and stop an event tracing session and enable providers. Providers: provide the events, consumed by Consumers in real time. Providers can also write events to (new or existing) channels, with each event only being writable to a single channel. |
EVTX files on disk: <SYSTEMROOT>\System32\winevt\Logs\* |
ETW - PowerShell activity | Page | For local PowerShell activity. Windows PowerShell version 2.0, and prior versions, provide few useful audit settings, thereby limiting the availability of evidence (such as a command history). Starting with PowerShell v5, PowerShell logging was enhanced, with the notable addition of Script Block Logging, that record full contents of PowerShell code executed (both original and deobfuscated code). While Script Block Logging is not fully enabled by default, it will record events for code containing suspicious keywords (from a Microsoft pre-defined list). |
Channels: Windows PowerShell. Events: 400, 403, 500, 501, 600, 800. Microsoft-Windows-PowerShell\Operational. Events: 4100, 4103, 4104, 40961, 40962, 53504. Microsoft-Windows-AppLocker\MSI and Script. Events: 8005, 8006. |
ETW - PowerShell remoting - Destination host | Page | Destination host of a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 91: "Creating WSMan shell on server with ResourceUri: <X>". |
Channels: Microsoft-Windows-Windows Remote Management/Operational. Event: 91. Windows PowerShell. Events: 400, 403, 600. With the HostName field set to "ServerRemoteHost". |
ETW - PowerShell remoting - Source host | Page | Source host initiating a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 6: "Creating WSMan Session. The connection string is: <REMOTE_HOST>/wsman?PSVersion=XXX". |
Channel: Microsoft-Windows-Windows Remote Management/Operational. Events: 2, 4, 6, 8, 12, 15, 16, 30, 31, 33, 80, 162, 166. |
ETW - Process creation | Page | Process creation event. Requires "Audit Process Creation" to be enabled and ProcessCreationIncludeCmdLine_Enabled to be enabled for the command line to be logged. Events: Event ID 4688: "A new process has been created". Event ID 4689: "Process Termination: Success and Failure". |
Channel: Security. Events: 4688, 4689. |
ETW - Registry Auto-Start Extensibility Points | Page | Events are generated for tasks executed through the Run and RunOnce registry keys. Additionally, events can be generated for modification of registry keys, but requires non-default audit settings and the configuration of SACL on the registry keys to audit. Main events: Channel: Microsoft-Windows-Shell-Core/Operational. Event ID 9707: "Started execution of command <COMMAND>". Event ID 9708: "Finished execution of command <COMMAND> (PID <PROCESS_ID>)". Channel: Security. Event ID 4657: "A registry value was modified". Requires non-default audit settings and the configuration of SACL on the registy keys to audit. |
Channels: Microsoft-Windows-Shell-Core/Operational. Events: 9705, 9707, 9708. Security. Event: 4657. |
ETW - Remote Desktop - Destination host | Page | Destination host of a Remote Desktop access. Main events: Channel: Security. Event ID 4624: "An account was successfully logged on", with LogonType 10. Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event ID 1149: "Remote Desktop Services: User authentication succeeded". Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Event ID 21: "Remote Desktop Services: Session logon succeeded". Event ID 23: "Remote Desktop Services: Session logoff succeeded". Event ID 25: "Remote Desktop Services: Session reconnection succeeded". |
Channels: Security. Event: 4624 (LogonType 10). Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event: 1149. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Events: 21, 22, 23, 25. Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational. Events: 131. |
ETW - Remote Desktop - Remote Desktop Gateway | Page | For Remote Desktop access through a Remote Desktop Gateway (Windows server role that implements Remote Desktop Protocol (RDP) over HTTPS. Main events: Channel: Microsoft-Windows-TerminalServices-Gateway/Operational. Event ID 200: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy [...] to access the TS Gateway server". Event ID 302: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>". Event 303: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>. Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds". |
Channels: Microsoft-Windows-TerminalServices-Gateway/Operational. Events: 200, 300, 302, 303, 308, 312, 313. |
ETW - Remote Desktop - Source host | Page | Source host initiating a Remote Desktop access. Main events: Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Event ID 1024: "RDP ClientActiveX is trying to connect to the server (<HOSTNAME>)". Event ID 1102: "The client has initiated a multi-transport connection to the server <IP>". Event ID 1029: "Base64(SHA256(UserName)) is = <HASH>". |
Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Events: 1024, 1029, 1102. |
ETW - System uptime | Page | System boot and shutdown events, to determine the time ranges that the system was turned on. Main events: Event 1074: "The process <PROCESS_EXE> has initiated the xxx of computer <HOSTNAME> on behalf of user <USERNAME> for the following reason: <SHUTDOWN_REASON_TEXT>". Event 12: "The operating system started at system time <TIME>". Event 13: "The operating system is shutting down at system time <TIME>". Event 41: "The system has rebooted without cleanly shutting down first". |
File: System.evtx. Channels: User32. Events: 1074. Microsoft-Windows-Kernel-General. Events: 12, 13. Microsoft-Windows-Kernel-Power. Events: 41, 42, 109. Microsoft-Windows-Power-Troubleshooter. Events: 1. EventLog. Events: 6013, 6005, 6006. |
ETW - Tools | Page | Tools for processing ETW and EVTX files, including: wevtutil, Get-WinEvent, LogParser, Winlogbeat, EvtxECmd, Chainsaw, Hayabusa, and Velociraptor. | |
ETW - Users and security groups operations | Page | For user accounts and security groups operations, such as a user object creation or modification, and a security group membership update. Main events: Channel: Security. Event ID 4720: "A user account was created". Event ID 4724: "An attempt was made to reset an accounts password". Event ID 4738: "A user account was changed". Event ID 4732: "A member was added to a security-enabled local group". |
Channel: Security. Events: 4720, 4722, 4723, 4724, 4731, 4732, 4733, 4738. |
ETW - Windows Defender | Page | Windows Defender activity, such as malware detection or configuration change. Main events: Channel: Microsoft-Windows-Windows Defender/Operational. Event ID 1116: "The antimalware engine found malware or other potentially unwanted software". Event ID 5001: "Real-time protection is disabled". Event ID 5007: "The antimalware platform configuration changed". |
Channel: Microsoft-Windows-Windows Defender/Operational. Events: 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1015, 1116, 1117, 1118, 1119, 1121, 1122, 5001, 5007, 5010, 5012, 5013. |
ETW - Windows Firewall | Page | Windows Firewall activity, such as configuration changes and rules creation, modification, or deletion. Main events: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall. Event ID 2003: "A Windows Defender Firewall setting in the <Domain | Private | Public> profile has changed". Events 2004, 2071, and 2097 (depending on the Windows operating system version): "A rule has been added to the Windows Defender Firewall exception list". Events 2005 and 2099 (depending on the Windows operating system version): "A rule has been modified in the Windows Defender Firewall exception list". |
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall. Events: 2002, 2003, 2004, 2005, 2006, 2033, 2052, 2071, 2097, 2099. Channel: Security (events not enabled by default). Events: 4946, 4947, 4948, 4950. |
ETW - Windows Scheduled Tasks | Page | For local Windows Scheduled Tasks creation and operations. Main events: Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Event ID 106: "User "<ACCOUNT>" registered Task Scheduler task "\<TASK_NAME>"". Event ID 140: "User "<ACCOUNT>" updated Task Scheduler task "<TASK_NAME>"". Event ID 200: "Task Scheduler launched action "<EXECUTABLE>" in instance "<INSTANCE_GUID>" of task "<TASK_NAME>"". Channel: Security (events not enabled by default). Event ID 4698: "A scheduled task was created". Event ID 4702: "A scheduled task was updated". |
Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201. Channel: Security (events not enabled by default). Events: 4698, 4699, 4700, 4701, 4702. |
ETW - Windows Services | Page | For local Windows services creation and operations. Main events: Channel: System. Event ID 7045: "A service was installed in the system". Event ID 7036: "The <SERVICE_NAME> service entered the <running/stopped> state". Channel: Security. Event ID 4697: "A service was installed in the system" (not enabled by default). |
Channel: System. Events: 7045, 7036, 7035, 7000, 7023, 7031, 7034, 7040, 7030. Channel: Security. Event: 4697. |
ETW - WMI events | Page | For WMI activity. Tracking process execution is the only way to natively detect lateral movement leveraging WMI. With out "Audit process tracking" enabled to log process creation event 4688 (or a dedicated product tracking process creation, such as Sysmon or an EDR), lateral movement over WMI cannot be reliably investigated. Main events: Channel: Security. Event ID 4688: "A new process has been created", to track WMI process execution (wmic.exe and WmiPrvSE.exe notably). Channel: Microsoft-Windows-WMI-Activity/Operational. Event ID 5860 for temporary WMI Event subscription creation. Event ID 5861 for permanent WMI Event subscription creation. |
Channels: Security. Event: 4688. Microsoft-Windows-WMI-Activity/Operational. Events: 5857, 5858, 5859, 5860, 5861. |
View on GitHub