In an event of a forensic investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system activities. Windows Event Log analysis can help an investigator draw a timeline based on the logging information and the discovered artifacts. On Windows systems, event logs contains a lot of useful information about the system and its users.
For a forensic investigator Security Log is the most important event log.it contains Logon/Logoff activity and other activities related to windows security.
Location: C:\Windows\System32\winevt\Logs
Tools : Default event viewer or https://eventlogxp.com/
1102 is logged whenever the Security log is cleared
4697 A new service was installed on the system
4688 A new process has been created
EVENT LOG RELATED TO ACCOUNT LOGON/LOGOFF
4624 An account was successfully logged on
4625 An account failed to log on
4634 An account was logged off
4647 User initiated logoff
4648 Logon using Explicit Cred(Run AS)
4672 Privileged account usage
EVENT LOG RELATED TO SCHEDULED TASKS
4698 A scheduled task was created
4699 A scheduled task was deleted
4701 A scheduled task was disabled
4702 A scheduled task was updated
ACCOUNT MANAGEMENT
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account's password
4724 An attempt was made to reset an accounts Password
4725 A user account was disabled
4726 A user account was deleted
4728 A member was added to a security-enabled global group
4732 A member was added to a security-enabled local group
4735 A security-enabled local group was changed
4738 A user account was changed
4740 A user account was locked out
4767 A user account was unlocked
4756 A member was added to a security enabled universal group
4798 A users local group membership was enumerated
4799 A security-enabled local group membership was enumerated
ACCOUNT LOGON
4768 Ticket Granting was granted(Successful Logon)Kerberos
4769 Successful/Failed account auth (NTLM protocol)
4770 A Kerberos service ticket was renewed
4771 Pre-Authentication Failed (Failed Logon)Kerberos
4776 Successful/Failed account auth (NTLM protocol)
RDP LOGS
4778 RDP Session Reconnected
4779 RDP session Disconnected
EVENT LOG RELATED TO NETWORK SHARE ACCESS
5140 A network share object was accessed
5142 A network share object was added
5143 A network share object was modified
5144 A network share object was deleted
5145 A network share object was checked to see whether client can be granted desired access
EVENT LOG RELATED TO SERVICES
7034 Service Crashed Unexpectedly
7035 Service Sent a start/Stop control
7036 Service Started or stopped
7040 Start type changed (Boot | On Request | Disabled)
7045 New service service was installed on the system(win2008R2+)
Logon Type
2 - Interactive [Logon type 2 is logged when a user logs on at the console whether it is domain or a
local user account]
3 - Windows logs logon type 3 for network logons such as accessing shared folders, printers, GPOs, and most logons to IIS.
4 - For a scheduled task execution in Windows, the Scheduled Task service first creates a new logon session for the task so that it can run under the user account specified for that task. Windows logs this logon attempt as logon type 4
5 - Service (service startup)
7 - This occurs when a user returns to the console and unlocks the password protected screen. Windows treats this as a logon and logs the appropriate Logon/Logoff event using logon type 7 identifying the event as an unlock attempt.
8 - Network Cleartext (Most often indicates a logon to IIS with “basic authentication”)
10 - Logons through Terminal Services, Remote Desktop or Remote Assistance are qualified as remote interactive and logs the logon attempt with logon type 10
11 Logon with cached credentials
Logon Failure Codes
0xC0000064 - User name does not exist
0xC000006A - User name is correct but the password is wrong
0xC0000234 - User is currently locked out
0xC0000072 - Account is currently disabled
0xC000006D - reason not specified (Sub status may provide more information)
0xC000006F - User tried to logon outside his day of week or time of day restrictions
0xC0000070 - Workstation restriction
0xC00000193 - Account expiration
0xC0000071 - Expired password
0xC0000133 - Clocks between DC and other computer too far out of sync
0xC0000224 - User is required to change password at next logon
0xC0000225 - Evidently a bug in Windows and not a risk
0xC000015b The user has not been granted the requested logon type (aka logon right) at this machine
KERBEROS FAILURE CODES
0x6 Bad user name
0x7 New computer account?
0x9 Administrator should reset password
0xC Workstation restriction
0x12 Account disabled, expired, locked out,logon hours restriction
0x17 The user’s password has expired
0x18 Bad password
0x20 Frequently logged by computer accounts
0x25 Workstation’s clock too far out of sync with the DC’s
0 comments:
Post a Comment