This blog is all about Cyber Security and IT

Friday, November 30, 2018

Types of Windows Events


We have 5 types of security events in windows >

Error : When some kind of service failed to execute or there is some loss of information

Warning : This event is generated when there is some problem going to happen in future .  Like  disk space utilization message .

Information : This type of event is generated when there is some informative message , like application services are running accurately

Success audit : This type of  event generated when user successfully logged in to a system

Failure audit : When there is failure in login attempt .

Main security Events













































IDLevelEvent LogEvent Source
App Error1000ErrorApplicationApplication Error
App Hang1002ErrorApplicationApplication Hang
BSOD1001ErrorSystemMicrosoft-Windows-WER-
SystemErrorReporting
WER1001InformationalApplicationWindows Error Reporting
EMET12WarningErrorApplicationApplicationEMET

Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage




















































IDLevelEvent LogEvent Source
Account Lockouts4740InformationalSecurityMicrosoft-Windows-Security-
Auditing
User Added to Privileged Group4728, 4732, 4756InformationalSecurityMicrosoft-Windows-Security-
Auditing
Security-Enabled group Modification4735InformationalSecurityMicrosoft-Windows-Security-
Auditing
Successful User Account Login4624InformationalSecurityMicrosoft-Windows-Security-
Auditing
Failed User Account Login4625InformationalSecurityMicrosoft-Windows-Security-
Auditing
Account Login with Explicit Credentials4648InformationalSecurityMicrosoft-Windows-Security-
Auditing

High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.

0 comments:

Post a Comment