Posted on

Types of Windows Events

We have 5 types of security events in windows >

Error : When some kind of service failed to execute or there is some loss of information

Warning : This event is generated when there is some problem going to happen in future .  Like  disk space utilization message .

Information : This type of event is generated when there is some informative message , like application services are running accurately

Success audit : This type of  event generated when user successfully logged in to a system

Failure audit : When there is failure in login attempt .

Main security Events

ID Level Event Log Event Source
App Error 1000 Error Application Application Error
App Hang 1002 Error Application Application Hang
BSOD 1001 Error System Microsoft-Windows-WER-
SystemErrorReporting
WER 1001 Informational Application Windows Error Reporting
EMET 12 WarningError ApplicationApplication EMET

Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage

ID Level Event Log Event Source
Account Lockouts 4740 Informational Security Microsoft-Windows-Security-
Auditing
User Added to Privileged Group 4728, 4732, 4756 Informational Security Microsoft-Windows-Security-
Auditing
Security-Enabled group Modification 4735 Informational Security Microsoft-Windows-Security-
Auditing
Successful User Account Login 4624 Informational Security Microsoft-Windows-Security-
Auditing
Failed User Account Login 4625 Informational Security Microsoft-Windows-Security-
Auditing
Account Login with Explicit Credentials 4648 Informational Security Microsoft-Windows-Security-
Auditing

High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.

Write a comment