Types of Windows Events
We have 5 types of security events in windows >
Error : When some kind of service failed to execute or there is some loss of information
Warning : This event is generated when there is some problem going to happen in future . Like disk space utilization message .
Information : This type of event is generated when there is some informative message , like application services are running accurately
Success audit : This type of event generated when user successfully logged in to a system
Failure audit : When there is failure in login attempt .
Main security Events
ID | Level | Event Log | Event Source | |
App Error | 1000 | Error | Application | Application Error |
App Hang | 1002 | Error | Application | Application Hang |
BSOD | 1001 | Error | System | Microsoft-Windows-WER- SystemErrorReporting |
WER | 1001 | Informational | Application | Windows Error Reporting |
EMET | 12 | WarningError | ApplicationApplication | EMET |
Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).
Table 2 – Account Usage
ID | Level | Event Log | Event Source | |
Account Lockouts | 4740 | Informational | Security | Microsoft-Windows-Security- Auditing |
User Added to Privileged Group | 4728, 4732, 4756 | Informational | Security | Microsoft-Windows-Security- Auditing |
Security-Enabled group Modification | 4735 | Informational | Security | Microsoft-Windows-Security- Auditing |
Successful User Account Login | 4624 | Informational | Security | Microsoft-Windows-Security- Auditing |
Failed User Account Login | 4625 | Informational | Security | Microsoft-Windows-Security- Auditing |
Account Login with Explicit Credentials | 4648 | Informational | Security | Microsoft-Windows-Security- Auditing |
High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.
0 comments:
Post a Comment