Threat Hunting w Windows Event IDs
Category: All. Windows The event logging service has shut down Windows Audit events have been dropped by the transport. Windows The audit log was cleared Windows The security Log is now full Windows Event log automatic backup Windows The event logging service encountered an error Windows Windows is starting up Windows Windows is shutting down Windows An authentication package has been loaded by the Local Security Authority Windows A trusted logon process has been registered with the Local Security Authority Windows Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Windows A notification package has been loaded by the Security Account Manager. Windows A security-enabled local group membership was enumerated Windows The workstation was locked Windows The workstation was unlocked Windows The screen saver was invoked Windows The screen saver was dismissed Windows RPC detected an integrity violation while decrypting an incoming message Windows Auditing settings on object were changed.
Windows Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Windows Central Access Policies on the machine have been changed Windows A Kerberos Ticket-granting-ticket TGT was denied because the device does not meet the access control restrictions Windows A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions Windows NTLM authentication failed because the account was a member of the Protected User group Windows NTLM authentication failed because access control restrictions are required Windows Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group Windows A user was denied the access to Remote Desktop.
By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group Windows Boot Configuration Data loaded Windows SID History was removed from an account Windows A namespace collision was detected Windows A trusted forest information entry was added Windows A trusted forest information entry was removed Windows A trusted forest information entry was modified Windows The certificate manager denied a pending certificate request Windows Certificate Services received a resubmitted certificate request Windows Certificate Services revoked a certificate Windows Certificate Services received a request to publish the certificate revocation list CRL Windows Certificate Services published the certificate revocation list CRL Windows A certificate request extension changed Windows One or more certificate request attributes changed.
A rule was added Windows A change has been made to Windows Firewall exception list. A rule was modified Windows A change has been made to Windows Firewall exception list.
A rule was deleted Windows Windows Firewall settings were restored to the default values Windows A Windows Firewall setting has changed Windows A rule has been ignored because its major version number was not recognized by Windows Firewall Windows Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall Windows A rule has been ignored by Windows Firewall because it could not parse the rule Windows Windows Firewall Group Policy settings has changed.
The new settings have been applied Windows Windows Firewall has changed the active profile Windows Windows Firewall did not apply the following rule Windows Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer Windows IPsec dropped an inbound packet that failed an integrity check Windows IPsec dropped an inbound packet that failed a replay check Windows IPsec dropped an inbound packet that failed a replay check Windows IPsec dropped an inbound clear text packet that should have been secured Windows Special groups have been assigned to a new logon Windows IPsec received a packet from a remote computer with an incorrect Security Parameter Index SPI.
Windows Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network Windows The Windows Firewall Driver has started successfully Windows The Windows Firewall Driver has been stopped Windows The Windows Firewall Driver failed to start Windows The Windows Firewall Driver detected critical runtime error.
Terminating Windows Code integrity determined that the image hash of a file is not valid Windows A registry key was virtualized. Windows A change has been made to IPsec settings. An Authentication Set was added. Windows A network share object was modified Windows A network share object was deleted.
Digital Forensics and Incident Response
Windows A network share object was checked to see whether client can be granted desired access Windows The Windows Filtering Platform has blocked a packet Windows A more restrictive Windows Filtering Platform filter has blocked a packet Windows The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. Windows The DoS attack has subsided and normal processing is being resumed.
Windows The Windows Filtering Platform has blocked a packet. Windows A more restrictive Windows Filtering Platform filter has blocked a packet. Windows BranchCache: Received an incorrectly formatted response while discovering availability of content. Windows BranchCache: Received invalid data from a peer. Data discarded.
Windows BranchCache: The message to the hosted cache offering it data is incorrectly formatted. Windows BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. Windows BranchCache: A service connection point object could not be parsed Windows Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues Windows A new external device was recognized by the system.
Upcoming Webinars. Additional Resources. Security Log. All events. Win, XP and Win only. The event logging service has shut down.
Audit events have been dropped by the transport. The audit log was cleared. The security Log is now full. Event log automatic backup. The event logging service encountered an error.Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone.
This post is inspired by all the hard working DFIR, and more broadly security professionals, who have put in the hard yards over the years to discuss in depth digital forensics and incident response. This page contains a variety of commands and concepts which are known through experience, higher education, tutorials, online blogs, YouTube Videos, professional training, reading the manual, and more.
This is not designed as a manual on how to perform DFIR, and serves only as a quick reference sheet for commands, tools, and common items of interest when performing Incident Response. If you need to undertake Digital Forensics for legal proceedings, seek specialist advice as this requires more rigor around Identification, Preservation, Collection, Examination, Analysis, and Presentation of findings.
A large number of these are covered on the Digital Forensics Artifact Repository, and can be ingested both by humans and systems given the standard YAML format. One action you can take is to parse this for items of interest and then directly spit out areas for investigation. If performing Evidence Collection rather than IR, respect the order of volatility as defined in: rfc Note: Can be used as an all in one collector License required for full collection, free version available.
An example command may be:. DAT file and then query them. The system must be booted through Advanced Startup Options with a Command Prompt, or through a recovery cd.
Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost. You can scan these directories for items of interest e. The Master File Table is an incredibly important artifact; however, this can only be read or obtained using low level disk reading. This can be determined by obtaining the MFT e. More information on the below process. Note: Load in hives and add particular SID to prevent users running named files, helps prevent for example your IIS service account from running cmd.Although there is some overlap in filtering options across the various tools, there are also filtering options that are unique to a specific tool.
There are also filtering options that are not widely documented and are shown here. There are some lists of items, such as data types, that are not shown in their entirety. Download Here. NEW - Tips for Reverse-Engineering Malicious Code - This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. It outlines the steps for performing behavioral and code-level analysis of malicious software.
It covers some of the core methods to extracting data from SQLite databases. Definitions, sample queries, and SQLite terminology will help you conduct manual extractions from databases of interest found on Macs, Smartphones, and PCs.
These open source tools can be used in a wide variety of investigations including cross validation of tools, providing insight into technical details not exposed by other tools, and more. Eric's first Cheat Sheet contains usage for tools for lnk files, jump lists, prefetch, and other artifacts related to evidence of execution. This suite of tools allows for displaying relevant forensic data including exporting data to many commonly used formats.
It has distinctly unique syntax and plugin options specific to its features and capabilities. This cheat sheet provides a quick reference for memory analysis operations in Rekall, covering acquisition, live memory analysis and parsing plugins used in the 6-Step Investigative Process. For more information on this tool, visit rekall-forensic. No problem, this cheat sheet will give you the basic commands to get cracking open your case using the latest cutting edge forensic tools. It covers some of what we consider the more useful Linux shell primitives and core utilities.
These can be exceedingly helpful when automating analysis processes, generating output that can be copied and pasted into a report or spreadsheet document, or supporting quick-turn responses when a full tool kit is not available. Windows to Unix Cheat Sheet - It helps to know how to translate between windows and unix.
This handy reference guide ties together many well known Unix commands with their Windows command line siblings. A great way to get Windows users familiar with the command line quickly. Memory Forensics Cheat Sheet - Few techniques get you to root cause faster than memory forensics. This cheat sheet walks the investigator through a six step analysis process, illuminating the most popular and powerful Volatility memory analysis plugins in each step.
Memory acquisition, memory timelining, and Windows registry analysis plugins are also noted. Useful for those just starting out in memory forensics and seasoned pros looking to quickly remember Volatility plugin syntax. Hex and Regex Forensics Cheat Sheet - Quickly become a master of sorting through massive amounts of data quickly using this useful guide to knowing how to use simple Regex capabilities built into the SIFT workstation. Cynthia A. Murphy - With the growing demand for examination of cellular phones and other mobile devices, a need has also developed for the development of process guidelines for the examination of these devices.
While the specific details of the examination of each device may differ, the adoption of consistent examination processes will assist the examiner in ensuring that the evidence extracted from each phone is well documented and that the results are repeatable and defensible. He knows his stuff, without a doubt. Toggle navigation.Richard Davis has published another interesting video — an introduction to basic Windows forensics.
You will walk through a DFIR cheat sheet Richard has created, and see a live example of each topic as he analyzes a Windows 10 image. Username or Email Address. Remember Me. April 13, Home Videos Introduction to Windows Forensics. Forensic Walkthrough: QBot Infection For some reason, there are not so many posts on forensic examination of hosts infected wit…. Forensicating one of compromised hosts during our recent incident response activities we h….
October 27, Load More Related Articles. March 18, How do they work? How can you stop the…. March 11, February 11, One Comment Mens Rehab March 26, at am. Leave a Reply Cancel reply Your email address will not be published. Comment Name Email Website. Search for:.
Windows event logs in forensic analysis
Tags android forensics APFS forensics Autopsy blue team cloud forensics computer forensics computer forensics software cyber crime cyber forensics DFIR digital forensics digital forensics software digital investigations event logs forensics forensic imaging forensic tools incident response ios forensics IoT forensics IR linux forensics macOS forensics Mac OS X forensics Magnet Forensics malware analysis malware forensics malware hunting memory forensics memory forensics software mobile forensics network forensics office forensics OS X forensics PowerShell forensics registry forensics Richard Davis SANS The Sleuth Kit threat hunting usb forensics Volatility web browser forensics Windows 10 forensics windows forensics windows mobile forensics.
Follow Us. About Us Cyber Forensicator is a web-project by Igor Mikhaylov and Oleg Skulkin aiming on collecting all most interesting and important cyber and digital forensics news, articles, presentations, and so on, in one place. Popular Posts. Log into your account.Thanks for stopping by! In the other sections you will find links to software and code snippets, downloads, and contact information. If you enjoy 13Cubed content and would like to help support the channel, please check out our Patreon page for early access to videos, stickers, t-shirts, and additional perks.
You may also make a one-time donation via PayPal.
I occasionally develop software for macOS, iOS, and Windows, as well as useful scripts and utilities written in Python. This section contains technical documentation, notes, cheat sheets, and other content I've created. Earlier work includes Cisco and other networking-related material, while more recent and future content is generally focused on Digital Forensics and Incident Response DFIR.
What is 13Cubed? Most will recognize 13Cubed from the YouTube channel of the same name, which produces a wide range of content covering Digital Forensics and Incident Response DFIRas well as other security-related topics. The company also provides consulting services, and occasionally develops software distributed under the brand. What is your background? I received my first computer in at age seven and never looked back. I started a computer company service, networking, consulting, and training in shortly after I graduated from high school and sold it 10 years later in I then spent nine years at a state college in Georgia.
I am currently employed by a large organization in the aerospace industry where I lead the information security team and have the privilege of working with an incredibly talented group of security professionals with expertise in digital forensics, incident response, and pen testing. I've worked in Information Technology for 24 years, 12 of which specifically in Information Security.
Throughout the last 5 years I have specifically focused on digital forensics, and I am also an instructor for the SANS Institute where I teach digital forensics curriculum.
How do I contact you? I prefer Twitter. You'll find links below for both my personal account and 13Cubed, as well as email contact information. Welcome to 13Cubed Thanks for stopping by! Donate If you enjoy 13Cubed content and would like to help support the channel, please check out our Patreon page for early access to videos, stickers, t-shirts, and additional perks.
Downloads This section contains technical documentation, notes, cheat sheets, and other content I've created. About What is 13Cubed?By Jonathon Poling. On February 20, I would read a few things here and there, think I understood it, then move on to the next case — repeating the same loop over and over again and never really acquiring full comprehension.
As such, I recently set out to try and find an easy route to the solution for this problem i. At any rate, as they say, necessity is the mother of invention. So, I decided to leave those out for now, but perhaps I will add them in the future. Ultimately, in truly pragmatic fashion, I figured it would likely be most useful to sort them in the chronological order in which you might expect to find them.
This section covers the first indications of an RDP logon — the initial network connection to a machine. Someone launched an RDP client, specified the target machine possibly with a username and domainand hit enter to make a successful network connection to the target. Nothing more, nothing less.
However, in a bit more research, I discovered that often a Type 3 logon for NLA will occur prior to the Type 10 logon. So, YMMV. This section covers the ensuing post-authentication events that occur upon successful authentication and logon to the system. This is typically paired with an Event ID The most helpful information here is the Reason Code a function of the IMsRdpClient::ExtendedDisconnectReason propertythe list of which can be seen here and this pairs it with the codes to make it easier to read.
Below are some examples of codes I encountered during my research. Typically paired with Event ID This is typically paired with an Event ID logoff.
TL;DR: The user initiated a formal system logoff versus a simple session disconnect. Why, I have no idea. Though, this event is not always produced for reasons I do not know. Feel free to check out his short video walkthrough as well. Thank you for putting the effort into this and sharing with the community. Only one ask. When doing an RDP from the source as windows to the destination, please also add, to the above, where will the documented log be found, on the source or on the destination.
Thanks for the feedback. Historically, the main artifact on a source system the system connecting to another system via RDP was a prefetch entry for mstsc.
Perhaps I will do another short write-up on that at some point in the future, or will send it out to the community and see if someone else has time to do so.Cheat Sheets. Mind Maps. Toggle navigation. Tool Database Software Reviews. Windows to unix cheatsheet - SANS. Usb device tracking. Suck at security cheat sheet - Lenny Zeltser. Security incident survey cheat sheet - Lenny Zeltser. Security incident questionnaire cheat sheet - Lenny Zeltser.
Security incident log review checklist - Lenny Zeltser. Security assessment rfp cheat sheet - Lenny Zeltser. Security assessment report cheat sheet - Lenny Zeltser. Security architecture cheat sheet - Lenny Zeltser. Reverse Engineering Skills - Lenny Zeltser. Reverse engineering malicious code tips - Lenny Zeltser. Remnux malware analysis tips - Lenny Zeltser. Registry Quick Find Chart 9 27 10 - Accessdata.
Python Testing Cheat Sheet. Powershell Cheat Sheet. Plaso Cheat Sheet. Ntfs cheat sheets. New product management tips - Lenny Zeltser. Mindmap forensics windows registry cheat sheet 1