Differences
This shows you the differences between two versions of the page.
windows_wiki:logging_cheat_sheet [2015/01/13 15:08] sl3dge created |
windows_wiki:logging_cheat_sheet [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | http:// | ||
- | |||
- | |||
- | February 20, 2014 Page 1 of 6 | ||
- | WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later | ||
- | ENABLE:: | ||
- | 1. LOCAL LOG SIZE: Increase the size of your local logs. Don’t | ||
- | worry you have plenty of disk space, CPU is not an issue | ||
- | a. Application, | ||
- | b. PowerShell logs too | ||
- | c. Whatever else you want as well | ||
- | 2. LOCAL SECURITY POLICY: Change Security Options – | ||
- | “Audit: Force audit policy subcategory settings” to | ||
- | ENABLE. This sets the system to force use of the | ||
- | “Advanced Audit Policies” | ||
- | 3. GROUP POLICY: All settings mentioned should be set with | ||
- | Active Directory Group Policy in order to enforce these | ||
- | settings enterprise wide. There are cases where the Local | ||
- | Security Policy would be used. | ||
- | ENABLE:: | ||
- | 1. DNS LOGS: Enable DNS Logging. Capture what DNS | ||
- | queries are happening. | ||
- | “systemroot\System32\Dns\Dns.log” | ||
- | a. EventID = | ||
- | 2. DHCP LOGS: Add your DHCP Logs – | ||
- | “%windir%\System32\Dhcp.” This will allow you to | ||
- | detect rogue systems on your network that fall | ||
- | outside your naming convention. | ||
- | a. EventID = 10 – New IP address was leased | ||
- | DEFINITIONS:: | ||
- | ENABLE: Things you must do to enable logging to start collecting and keeping events. | ||
- | CONFIGURE: Configuration that is needed to refine what events you will collect. | ||
- | GATHER: Tools/ | ||
- | WEvtUtil, Find, etc. | ||
- | HARVEST: Events that you would want to harvest into some centralized Event log management solution like syslog, SIEM, | ||
- | Splunk, etc. | ||
- | RESOURCES: Places to get information on EventID’s | ||
- | www.ultimatewindowssecurity.com/ | ||
- | www.EventID.Net – Most of the Event ID’s | ||
- | Google! – But of course | ||
- | IIS Error Codes - http:// | ||
- | http:// | ||
- | http:// | ||
- | This “Windows Logging Cheat Sheet” is intended to help you get started setting up | ||
- | basic and necessary Windows Audit Policy and Logging. By no means is this list | ||
- | extensive; but it does include some very common items that should be enabled, | ||
- | configured, gathered and harvested for any Log Management Program. Start with | ||
- | these settings and add to it as you understand better what is in your logs and what | ||
- | you need.February 20, 2014 Page 2 of 6 | ||
- | WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later | ||
- | Windows Audit Policy settings may be set by the Local Security Policy, Group Policy (preferred) or by | ||
- | command line using ‘AuditPol.exe’. | ||
- | CONFIGURE:: | ||
- | 1. SYSTEM AUDIT POLICIES: In order to capture what you | ||
- | want and need the following Advanced Audit Policies | ||
- | must be set. You may expand these to your specific | ||
- | needs, but here is a place to start. | ||
- | List out the System audit policy | ||
- | Command: AuditPol /get /category:* | ||
- | Category/ | ||
- | ------------------------------- ------------------------ | ||
- | System | ||
- | Security System Extension Success and Failure | ||
- | System Integrity Success and Failure | ||
- | IPsec Driver Success and Failure | ||
- | Other System Events Failure | ||
- | Security State Change Success and Failure | ||
- | Logon/ | ||
- | Logon Success and Failure | ||
- | Logoff Success | ||
- | Account Lockout Success | ||
- | IPsec Main Mode No Auditing | ||
- | IPsec Quick Mode No Auditing | ||
- | IPsec Extended Mode No Auditing | ||
- | Special Logon Success and Failure | ||
- | Other Logon/ | ||
- | Network Policy Server Success and Failure | ||
- | Object Access | ||
- | File System Success | ||
- | Registry Success | ||
- | Kernel Object Success and Failure | ||
- | SAM No Auditing | ||
- | Certification Services Success and Failure | ||
- | Application Generated Success and Failure | ||
- | Handle Manipulation No Auditing | ||
- | File Share Success and Failure | ||
- | Filtering Platform Packet Drop No Auditing | ||
- | Filtering Platform Connection Success (Win FW) | ||
- | Other Object Access Events No Auditing | ||
- | Detailed File Share Success | ||
- | CONFIGURE:: | ||
- | SYSTEM AUDIT POLICIES: Continued | ||
- | To set an item: | ||
- | Auditpol /set / | ||
- | / | ||
- | Category/ | ||
- | ------------------------------- ------------------------ | ||
- | Privilege Use | ||
- | Sensitive Privilege Use Success and Failure | ||
- | Non Sensitive Privilege Use No Auditing | ||
- | Other Privilege Use Events No Auditing | ||
- | Detailed Tracking | ||
- | Process Termination Success and Failure | ||
- | DPAPI Activity No Auditing | ||
- | RPC Events Success and Failure | ||
- | Process Creation Success and Failure | ||
- | Policy Change | ||
- | Audit Policy Change Success and Failure | ||
- | Authentication Policy Change Success and Failure | ||
- | Authorization Policy Change Success and Failure | ||
- | MPSSVC Rule-Level Policy Change No Auditing | ||
- | Filtering Platform Policy Change Success (Win FW) | ||
- | Other Policy Change Events No Auditing | ||
- | Account Management | ||
- | User Account Management Success and Failure | ||
- | Computer Account Management Success and Failure | ||
- | Security Group Management Success and Failure | ||
- | Distribution Group Management Success and Failure | ||
- | Application Group Management Success and Failure | ||
- | Other Acct Management Events Success and Failure | ||
- | DS Access | ||
- | Directory Service Changes Success and Failure | ||
- | Directory Service Replication No Auditing | ||
- | Detailed Directory Service Repl No Auditing | ||
- | Directory Service Access No Auditing | ||
- | Account Logon | ||
- | Kerberos Service Ticket Oper No Auditing | ||
- | Other Account Logon Events Success and Failure | ||
- | Kerberos Authentication Service No Auditing | ||
- | Credential Validation Success and FailureFebruary 20, 2014 Page 3 of 6 | ||
- | WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later | ||
- | CONFIGURE:: | ||
- | 1. FILE AUDIT: Select directories you want to monitor file activity. Right-Click directory – Properties – Security – | ||
- | Advanced – Auditing – Edit – Add – EVERYONE – (check names), OK - | ||
- | a. Apply onto – THIS FOLDER ONLY (or what you want) | ||
- | b. Create file / write data – Successful | ||
- | c. Create folders / append data - Successful | ||
- | 2. DIRS TO AUDIT: | ||
- | \ProgramData * \Windows | ||
- | \System * \System32 | ||
- | \System32\drivers * \System32\Wbem | ||
- | \Users\XYZ\AppData\Local * \Users\XYZ\AppData\Locallow | ||
- | \Users\XYZ\AppData\Roaming * Whatever else you want to audit | ||
- | 3. To apply these audit settings it is a by system manual method or you can use PowerShell, subinacls(warning) | ||
- | 4. WEvtUtil: Use this utility to configure your log settings | ||
- | a. WevtUtil gl Security – List settings of the Security Log | ||
- | b. WevtUtil sl Security / | ||
- | c. WevtUtil sl Security /rt:false – Overwrite as needed | ||
- | CONFIGURE:: | ||
- | 1. REGISTRY AUDIT: Select Registry Keys you want to monitor changes to. Right-Click a Key – Permissions – Advanced – | ||
- | Auditing – Add – EVERYONE – (check names), OK. | ||
- | a. Apply onto – THIS KEY ONLY (or what you want) | ||
- | b. Select ‘Set Value’, ‘Create Subkey’, ‘Create Link’, ‘Delete’, | ||
- | c. Be careful setting auditing to ‘Keys and subkeys’ as this can generate a lot of data | ||
- | 2. KEYS TO AUDIT: | ||
- | a. HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion | ||
- | i. Run | ||
- | ii. RunOnce | ||
- | b. HKLM\System\CurrentControlSet | ||
- | i. Services (noisy) | ||
- | c. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | ||
- | i. AppInit_Dlls value | ||
- | d. USB Devices | ||
- | i. HKLM\System\CurrentControlSet\ENUM\USBSTOR – Name of USB Device | ||
- | ii. HKLM\Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt – Device details, last write | ||
- | 3. REG.EXE: Use this utility to query what is in a Key or the data within a key or value | ||
- | a. Query a Key and all values - Reg query " | ||
- | b. Query a value of a Key - Reg query " | ||
- | WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later | ||
- | GATHER:: | ||
- | 1. AUDITPOL: Use this utility to view your current log settings | ||
- | a. List all Policies categories: AuditPol /List / | ||
- | b. List what is SET: AuditPol /get /category:* | ||
- | c. List what is SET for a subcategory: | ||
- | AuditPol /get / | ||
- | 2. Reg.exe: Use this utility to query the registry | ||
- | a. Changes to AppInit_Dlls - reg query " | ||
- | AppInit_Dlls | ||
- | b. Changes to Services Keys - reg query " | ||
- | c. Changes to Machine Run Key - reg query " | ||
- | d. Changes to Machine RunOnce Key - reg query " | ||
- | e. Changes to User Run Key - reg query " | ||
- | f. Changes to User RunOnce Key - reg query " | ||
- | g. | ||
- | 3. SC.exe: Use this utility to query the services (sc /? For help) | ||
- | a. List all services in any state – sc.exe query state= all (Note: ‘space’ after the = sign) | ||
- | b. Look for a specific service – sc.exe query state= all | find /I “telnet” | ||
- | c. After finding the ‘Display_Name’ then look for the ‘Service_Name’ to get the short name | ||
- | GATHER:: | ||
- | 1. WEvtUtil: Use this utility to query your logs | ||
- | a. WevtUtil qe Security – query the Security Log for events | ||
- | i. Lots of flags here so read help “WevtUtil -?” | ||
- | ii. /c:5 = Read 5 events | ||
- | iii. /rd:true = newest events first | ||
- | iv. /f:text = format text, also can do XML | ||
- | b. Success & Failed Logons - WevtUtil qe Security / | ||
- | /f:text > | ||
- | c. User Account Change - WevtUtil qe Security / | ||
- | > | ||
- | d. New Service Installed - WevtUtil qe Security / | ||
- | > | ||
- | e. User Account Changes - wevtutil qe Security / | ||
- | EventID=4724 or EventID=4726 or EventID=4767)]]" | ||
- | 2. Filtering Log Results: Use this method to filter lines within the logs | ||
- | a. Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security / | ||
- | /rd:true /f:text |find / | ||
- | b. File or Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security / | ||
- | /c:50 /rd:true /f:text |find /i " | ||
- | c. Files – Find new files with ‘Wbem’ - WevtUtil qe Security / | ||
- | |find /i " | ||
- | WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later | ||
- | HARVEST:: | ||
- | 1. SERVICES: Found in the SYSTEM log | ||
- | d. 7045 – Message=A service was installed in the system. | ||
- | e. 7040 Message=The start type of the XYZ service was changed from auto start to disabled. | ||
- | f. 7000 - Message=The XYX service failed to start due to the following error: The service did not respond to the start | ||
- | or control request in a timely fashion. | ||
- | g. 7022 - Message=The XYZ service hung on starting. | ||
- | h. 7024 - Message=The XYZ service terminated with service-specific error %%2414. | ||
- | i. 7031 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). The following corrective | ||
- | action will be taken in 60000 milliseconds: | ||
- | j. 7034 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). | ||
- | k. 7035 – Service sent a request to Stop or Start | ||
- | l. 7036 – Service was Started or Stopped | ||
- | HARVEST:: | ||
- | 1. LOG CLEAR: Watch for log clear messages | ||
- | a. 104 – SYSTEM Log – The Application or System log | ||
- | was cleared | ||
- | b. 1102 – SECURITY Log – The audit log was cleared | ||
- | 2. TASKS: Watch for a Process to start and call other | ||
- | processes | ||
- | a. 4698 – SECURITY Log – New Task Created | ||
- | 3. DRIVER: Watch for an issue with a driver | ||
- | a. 40 – Issue with Driver | ||
- | 4. OS VERSION: What OS do machines have | ||
- | a. 6009 – Lists OS version, Service Pack and processor | ||
- | type | ||
- | HARVEST:: | ||
- | 1. PROCESSES: Watch for a Process to start and call other | ||
- | processes | ||
- | a. 4688 – SECURITY Log – New Process Name, look | ||
- | for Creator Process ID to link what process | ||
- | launched what | ||
- | 2. INSTALLER: Watch for the Windows Installer activity | ||
- | a. 1022 – Windows Installer updated the product | ||
- | b. 1033 – Windows Installer installed the product | ||
- | c. 1034 – Windows Installer removed the product | ||
- | 3. WINDOWS UPDATE: Watch for the Windows Update | ||
- | Agent activity. | ||
- | a. 18 = Ready, 19 = Installed, 20= Failure | ||
- | 4. WINDOWS TIME: Watch for the Windows Service | ||
- | synchronization. Make sure your sources are what they | ||
- | are supposed to be. | ||
- | a. 35 – Time Service sync status and source | ||
- | 5. APPLICATION ERROR: Watch for application crashes. | ||
- | a. 1000 – (Application Log) Application Fault | ||
- | HARVEST:: | ||
- | 1. ACCOUNTS: Monitor for attempts to change an account | ||
- | password | ||
- | a. 4724 – An attempt was made to reset an accounts | ||
- | password. | ||
- | b. 4735 – Local Group changed | ||
- | c. 4738 – User account password changed | ||
- | HARVEST:: | ||
- | 1. APPLOCKER: Watch for triggers to AppLocker events (8000- | ||
- | 8027) | ||
- | a. 8004 – Filename not allowed to run | ||
- | 2. SRP: Watch for triggers to Software Restriction Policies | ||
- | b. 865 – Access to < | ||
- | HARVEST:: | ||
- | 1. AUDIT POLICY: Watch for changes to the Audit Policy that | ||
- | are NOT “SYSTEM” | ||
- | a. 4719 – System audit policy was changedFebruary 20, 2014 Page 6 of 6 | ||
- | WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later | ||
- | HARVEST:: | ||
- | 1. NEW FILE ADDED: Watch for the creation of new files. | ||
- | Requires File auditing of the directory(s) that you want to | ||
- | monitor | ||
- | b. 4663 – Accesses: WriteData (or AddFile) | ||
- | c. GREAT for CryptoLocker & Malware drops | ||
- | HARVEST:: | ||
- | 1. REGISTRY: Watch for the creation or modification of new registry keys and values | ||
- | a. 4657 – Accesses: WriteData (or AddFile) | ||
- | i. HKLM, HKCU & HKU – Software\Microsoft\Windows\CurrentVersion | ||
- | 1. Run, RunOnce | ||
- | ii. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | ||
- | 1. Watch AppInit_Dlls | ||
- | iii. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt | ||
- | 1. Watch Connection time of USB Devices | ||
- | iv. HKLM\System\CurrentControlSet\Services | ||
- | 1. Watch for NEW Services | ||
- | v. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR | ||
- | 1. Watch for NEW USB devices | ||
- | HARVEST:: | ||
- | 2. FIREWALL: Windows Filtering Platform - Watch for | ||
- | Inbound and Outbound connections – Requires | ||
- | Windows Firewall to be enabled | ||
- | a. This is the noisiest of all Events. Generating | ||
- | easily 9,000 - 10,000 events per hour per system | ||
- | b. Storage is required to utilize this event | ||
- | c. 5156 – Message=The Windows Filtering | ||
- | Platform has permitted a connection. Look for: | ||
- | i. Direction:, Source Address:, Source | ||
- | Port:, Destination Address: & | ||
- | Destination Port: | ||
- | HARVEST:: | ||
- | 1. REGISTRY: Monitor certain Keys for Add, Changes and | ||
- | Deletes. Setting auditing on the Specific keys is | ||
- | required. | ||
- | a. 4657 – A Registry value was modified | ||
- | HARVEST:: | ||
- | 1. EMAIL / VPN: Monitor for failed and successful logins | ||
- | to your VPN and Webmail application. Consider | ||
- | emailing user if login is from a new IP not in your | ||
- | exclude list | ||
- | a. sc_status=401 – Failed OWA login | ||
- | b. " | ||
- | - Cisco | ||
- | HARVEST:: | ||
- | 1. LOGON TYPE: Monitor for what type of logons occur | ||
- | a. 4624 – Message=An account was successfully | ||
- | logged on. | ||
- | i. Type 2 – Interactive – GUI | ||
- | ii. Type 3 – Network – Net Use | ||
- | iii. Type 4 – Batch | ||
- | iv. Type 5 – Service | ||
- | v. Type 7 – Unlock | ||
- | vi. Type 8 – Network Clear Text | ||
- | vii. Type 9 – New Credentials (RDP Tools) | ||
- | viii. Type 10 – Remote Interactive (RDP) | ||
- | ix. Type 11 – Cached Interactive (laptops) | ||
- | b. 4625 – Message = An account failed to log on. | ||
- | HARVEST:: | ||
- | 1. SYSTEM INTEGRITY: Watch for files with page images with | ||
- | bad hashes | ||
- | a. 6281 – Failed – “page hashes of an image file are | ||
- | not valid” |