WINDOWS EVENT VIEWER
Windows Event Viewer is a tool developed by Microsoft to enable easy access to windows event logs.
Windows event logs are records of application, system and security events that have taken place on a system. They aid in activities such as:
- Incident response and forensics to understand the events that took place on a host such as who logged in at what time
- Hardware and software troubleshooting
- Tracking application and system issues
- Detecting suspicious activity
Every Windows operating system comes with windows event viewer installed by default. You can access it by simply clicking the windows button and searching for "event viewer".
On the left pane of the screenshot above, we can see that windows generates different logs and they are categorised based on the type of logs recorded under them. They include:
- Application logs — these are logs generated by applications and programs installed on the windows operating systems such as browsers
- System logs– these are logs generated by components of the windows operating system such as the kernel, windowsupdateclient, service control manager etc.
- Security logs — these are records of security events such as logins, file changes, user account management among others. This type of logging is turned off by default. You can change this enabling auditing.
Enabling Auditing
Search for Local Group Policy Editor > Computer Configurations > Windows Settings > Security Settings > Local policies > Audit policy
Right click on an audit policy and select Properties. Once you have ticked the boxes, click apply then OK.
Sample Windows Event log
To demonstrate a sample of a windows event log, I used the command-line tool net.exe to create a local user called Kayla and added her to the Administrators group.
It is worth noting that every single windows event log is always assigned an Event ID.
The purpose of the Event ID is to uniquely represent events on the system. For example, Event ID 4732 from the screenshot above, uniquely represents that A member was added to a security-enabled local group. This Event ID can aid in the detection of activities such as privilege escalation.
This link lists out all Windows Event IDs and what they each represent. You don’t have to remember all of them but it is important to have a quick reference point and be familiar with them.
Based on the goal of your investigation, event IDs help you filter out the overwhelming information and logs and stick to your investigation objective. To filter for a specific event ID on windows event viewer, on the right pane, click on Filter Current Logs.
You can filter based on event severity level or event IDs or both etc. and you can include more than one event ID simply by separating them using commas (,).
The different severity levels listed out on Windows Event Viewer include:
- Informational
- Low
- High
- Critical
From an incident response perspective, critical and high events is something you would want to be keen with as they pose a major risk.
Now, there are times windows event logs end up not providing you with the answers you were looking for during an investigation and because of this, Microsoft developed a service called Sysmon.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.— Microsoft
Download Sysmon here
Some of the capabilities Sysmon has include the logging of:
- process creation activities including parent command line argument and process
- file changes and creation activities including user, time, old and new file name
- network connection activities including process that initiated the connection, source and destination IP and ports
- registry events including changes and new registry entries made in registry, subject user
To view Sysmon logs on Windows Event Viewer, go to Application and Services Logs > Microsoft > Windows > Sysmon > Operational
Sample Sysmon Log
Similar to windows event logs, Sysmon also has its own unique Event IDs that help identify particular events. For example, Sysmon Event ID 11 represents File creation.
The Event ID run from 1 -24, you can have a look at what each represent here
See you next time.