Differences

This shows you the differences between two versions of the page.

--- windows_wiki:logging_cheat_sheet [2015/03/09 23:46]
billdozor
+++ windows_wiki:logging_cheat_sheet [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== Logging Cheat Sheet ======
-**General Information**
-http://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf
-**Checklist**
-  * Apparently, a wall of text.
-  * Wrapping code tags until someone decides to fix this...
-<code>
-February 20, 2014 Page 1 of 6
-WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later
-ENABLE::
-. LOCAL LOG SIZE: Increase the size of your local logs. Don’t
-worry you have plenty of disk space, CPU is not an issue
-a. Application, Security & System to 32k or larger
-b. PowerShell logs too
-c. Whatever else you want as well
-. LOCAL SECURITY POLICY: Change Security Options –
-“Audit: Force audit policy subcategory settings” to
-ENABLE. This sets the system to force use of the
-“Advanced Audit Policies”
-. GROUP POLICY: All settings mentioned should be set with
-Active Directory Group Policy in order to enforce these
-settings enterprise wide. There are cases where the Local
-Security Policy would be used.
-ENABLE::
-. DNS LOGS: Enable DNS Logging. Capture what DNS
-queries are happening.
-“systemroot\System32\Dns\Dns.log”
-a. EventID =
-. DHCP LOGS: Add your DHCP Logs –
-“%windir%\System32\Dhcp.” This will allow you to
-detect rogue systems on your network that fall
-outside your naming convention.
-a. EventID = 10 – New IP address was leased
-DEFINITIONS::
-ENABLE: Things you must do to enable logging to start collecting and keeping events.
-CONFIGURE: Configuration that is needed to refine what events you will collect.
-GATHER: Tools/Utilities that you can use locally on the system to set or gather log related information – AuditPol,
-WEvtUtil, Find, etc.
-HARVEST: Events that you would want to harvest into some centralized Event log management solution like syslog, SIEM,
-Splunk, etc.
-RESOURCES: Places to get information on EventID’s
- www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx - Better descriptions of Event OD’s
- www.EventID.Net – Most of the Event ID’s
- Google! – But of course
- IIS Error Codes - http://support.microsoft.com/kb/318380 - IIS Error Codes
- http://cryptome.org/2014/01/nsa-windows-event.pdf - Good Article
- http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx – MS Adv Security Audit Policy Descriptions
-This “Windows Logging Cheat Sheet” is intended to help you get started setting up
-basic and necessary Windows Audit Policy and Logging. By no means is this list
-extensive; but it does include some very common items that should be enabled,
-configured, gathered and harvested for any Log Management Program. Start with
-these settings and add to it as you understand better what is in your logs and what
-you need.February 20, 2014 Page 2 of 6
-WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later
-Windows Audit Policy settings may be set by the Local Security Policy, Group Policy (preferred) or by
-command line using ‘AuditPol.exe’.
-CONFIGURE::
-. SYSTEM AUDIT POLICIES: In order to capture what you
-want and need the following Advanced Audit Policies
-must be set. You may expand these to your specific
-needs, but here is a place to start.
-List out the System audit policy
- Command: AuditPol /get /category:*
-Category/Subcategory Setting
-------------------------------- ------------------------
-System
- Security System Extension Success and Failure
- System Integrity Success and Failure
- IPsec Driver Success and Failure
- Other System Events Failure
- Security State Change Success and Failure
-Logon/Logoff
- Logon Success and Failure
- Logoff Success
- Account Lockout Success
- IPsec Main Mode No Auditing
- IPsec Quick Mode No Auditing
- IPsec Extended Mode No Auditing
- Special Logon Success and Failure
- Other Logon/Logoff Events Success and Failure
- Network Policy Server Success and Failure
-Object Access
- File System Success
- Registry Success
- Kernel Object Success and Failure
- SAM No Auditing
- Certification Services Success and Failure
- Application Generated Success and Failure
- Handle Manipulation No Auditing
- File Share Success and Failure
- Filtering Platform Packet Drop No Auditing
- Filtering Platform Connection Success (Win FW)
- Other Object Access Events No Auditing
- Detailed File Share Success
-CONFIGURE::
-SYSTEM AUDIT POLICIES: Continued
-To set an item:
- Auditpol /set /category:"Account Management"
-/success:enable /failure:enable
-Category/Subcategory Setting
-------------------------------- ------------------------
-Privilege Use
- Sensitive Privilege Use Success and Failure
- Non Sensitive Privilege Use No Auditing
- Other Privilege Use Events No Auditing
-Detailed Tracking
- Process Termination Success and Failure
- DPAPI Activity No Auditing
- RPC Events Success and Failure
- Process Creation Success and Failure
-Policy Change
- Audit Policy Change Success and Failure
- Authentication Policy Change Success and Failure
- Authorization Policy Change Success and Failure
- MPSSVC Rule-Level Policy Change No Auditing
- Filtering Platform Policy Change Success (Win FW)
- Other Policy Change Events No Auditing
-Account Management
- User Account Management Success and Failure
- Computer Account Management Success and Failure
- Security Group Management Success and Failure
- Distribution Group Management Success and Failure
- Application Group Management Success and Failure
- Other Acct Management Events Success and Failure
-DS Access
- Directory Service Changes Success and Failure
- Directory Service Replication No Auditing
- Detailed Directory Service Repl No Auditing
- Directory Service Access No Auditing
-Account Logon
- Kerberos Service Ticket Oper No Auditing
- Other Account Logon Events Success and Failure
- Kerberos Authentication Service No Auditing
- Credential Validation Success and FailureFebruary 20, 2014 Page 3 of 6
-WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later
-CONFIGURE::
-. FILE AUDIT: Select directories you want to monitor file activity. Right-Click directory – Properties – Security –
-Advanced – Auditing – Edit – Add – EVERYONE – (check names), OK -
-a. Apply onto – THIS FOLDER ONLY (or what you want)
-b. Create file / write data – Successful
-c. Create folders / append data - Successful
-. DIRS TO AUDIT:
- \ProgramData * \Windows
- \System * \System32
- \System32\drivers * \System32\Wbem
- \Users\XYZ\AppData\Local * \Users\XYZ\AppData\Locallow
- \Users\XYZ\AppData\Roaming * Whatever else you want to audit
-. To apply these audit settings it is a by system manual method or you can use PowerShell, subinacls(warning)
-. WEvtUtil: Use this utility to configure your log settings
-a. WevtUtil gl Security – List settings of the Security Log
-b. WevtUtil sl Security /ms:512000000 – Set the Security Log size to the number of bytes
-c. WevtUtil sl Security /rt:false – Overwrite as needed
-CONFIGURE::
-. REGISTRY AUDIT: Select Registry Keys you want to monitor changes to. Right-Click a Key – Permissions – Advanced –
-Auditing – Add – EVERYONE – (check names), OK.
-a. Apply onto – THIS KEY ONLY (or what you want)
-b. Select ‘Set Value’, ‘Create Subkey’, ‘Create Link’, ‘Delete’, ‘Write DAC’ & ‘Write Owner’ to start
-c. Be careful setting auditing to ‘Keys and subkeys’ as this can generate a lot of data
-. KEYS TO AUDIT:
-a. HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion
-i. Run
-ii. RunOnce
-b. HKLM\System\CurrentControlSet
-i. Services (noisy)
-c. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
-i. AppInit_Dlls value
-d. USB Devices
-i. HKLM\System\CurrentControlSet\ENUM\USBSTOR – Name of USB Device
-ii. HKLM\Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt – Device details, last write
-. REG.EXE: Use this utility to query what is in a Key or the data within a key or value
-a. Query a Key and all values - Reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
-b. Query a value of a Key - Reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v malwareFebruary 20, 2014 Page 4 of 6
-WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later
-GATHER::
-. AUDITPOL: Use this utility to view your current log settings
-a. List all Policies categories: AuditPol /List /Subcategory:*
-b. List what is SET: AuditPol /get /category:*
-c. List what is SET for a subcategory:
- AuditPol /get /category:"Object Access”
-. Reg.exe: Use this utility to query the registry
-a. Changes to AppInit_Dlls - reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v
-AppInit_Dlls
-b. Changes to Services Keys - reg query "HKLM\System\CurrentControlSet\Services"
-c. Changes to Machine Run Key - reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run”
-d. Changes to Machine RunOnce Key - reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce”
-e. Changes to User Run Key - reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
-f. Changes to User RunOnce Key - reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”
-g.
-. SC.exe: Use this utility to query the services (sc /? For help)
-a. List all services in any state – sc.exe query state= all (Note: ‘space’ after the = sign)
-b. Look for a specific service – sc.exe query state= all | find /I “telnet”
-c. After finding the ‘Display_Name’ then look for the ‘Service_Name’ to get the short name
-GATHER::
-. WEvtUtil: Use this utility to query your logs
-a. WevtUtil qe Security – query the Security Log for events
-i. Lots of flags here so read help “WevtUtil -?”
-ii. /c:5 = Read 5 events
-iii. /rd:true = newest events first
-iv. /f:text = format text, also can do XML
-b. Success & Failed Logons - WevtUtil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /c:5 /rd:true
-/f:text >Parsed\%computername%_Logon_Events_Win7.log
-c. User Account Change - WevtUtil qe Security /q:"*[System[(EventID=4738)]]" /c:5 /rd:true /f:text
->Parsed\R_%computername%_User_Account_Change_Win7.log
-d. New Service Installed - WevtUtil qe Security /q:"*[System[(EventID=7045)]]" /c:5 /rd:true /f:text
->Parsed\R_%computername%_New_Service_Installed_Win7.log
-e. User Account Changes - wevtutil qe Security /q:"*[System[(EventID=4725 or EventID=4722 or EventID=4723 or
-EventID=4724 or EventID=4726 or EventID=4767)]]" /c:10 /f:text
-. Filtering Log Results: Use this method to filter lines within the logs
-a. Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4657)]]" /c:5
-/rd:true /f:text |find /i"Object Name"
-b. File or Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]"
-/c:50 /rd:true /f:text |find /i "Object Name"
-c. Files – Find new files with ‘Wbem’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]" /c:50 /rd:true /f:text
-|find /i "wbem"February 20, 2014 Page 5 of 6
-WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later
-HARVEST::
-. SERVICES: Found in the SYSTEM log
-d. 7045 – Message=A service was installed in the system.
-e. 7040 Message=The start type of the XYZ service was changed from auto start to disabled.
-f. 7000 - Message=The XYX service failed to start due to the following error: The service did not respond to the start
-or control request in a timely fashion.
-g. 7022 - Message=The XYZ service hung on starting.
-h. 7024 - Message=The XYZ service terminated with service-specific error %%2414.
-i. 7031 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). The following corrective
-action will be taken in 60000 milliseconds: Restart the service.
-j. 7034 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s).
-k. 7035 – Service sent a request to Stop or Start
-l. 7036 – Service was Started or Stopped
-HARVEST::
-. LOG CLEAR: Watch for log clear messages
-a. 104 – SYSTEM Log – The Application or System log
-was cleared
-b. 1102 – SECURITY Log – The audit log was cleared
-. TASKS: Watch for a Process to start and call other
-processes
-a. 4698 – SECURITY Log – New Task Created
-. DRIVER: Watch for an issue with a driver
-a. 40 – Issue with Driver
-. OS VERSION: What OS do machines have
-a. 6009 – Lists OS version, Service Pack and processor
-type
-HARVEST::
-. PROCESSES: Watch for a Process to start and call other
-processes
-a. 4688 – SECURITY Log – New Process Name, look
-for Creator Process ID to link what process
-launched what
-. INSTALLER: Watch for the Windows Installer activity
-a. 1022 – Windows Installer updated the product
-b. 1033 – Windows Installer installed the product
-c. 1034 – Windows Installer removed the product
-. WINDOWS UPDATE: Watch for the Windows Update
-Agent activity.
-a. 18 = Ready, 19 = Installed, 20= Failure
-. WINDOWS TIME: Watch for the Windows Service
-synchronization. Make sure your sources are what they
-are supposed to be.
-a. 35 – Time Service sync status and source
-. APPLICATION ERROR: Watch for application crashes.
-a. 1000 – (Application Log) Application Fault
-HARVEST::
-. ACCOUNTS: Monitor for attempts to change an account
-password
-a. 4724 – An attempt was made to reset an accounts
-password.
-b. 4735 – Local Group changed
-c. 4738 – User account password changed
-HARVEST::
-. APPLOCKER: Watch for triggers to AppLocker events (8000-
-)
-a. 8004 – Filename not allowed to run
-. SRP: Watch for triggers to Software Restriction Policies
-b. 865 – Access to <filename> has been restricted
-HARVEST::
-. AUDIT POLICY: Watch for changes to the Audit Policy that
-are NOT “SYSTEM”
-a. 4719 – System audit policy was changedFebruary 20, 2014 Page 6 of 6
-WINDOWS LOGGING CHEAT SHEET - Win 7/Win 2008 or later
-HARVEST::
-. NEW FILE ADDED: Watch for the creation of new files.
-Requires File auditing of the directory(s) that you want to
-monitor
-b. 4663 – Accesses: WriteData (or AddFile)
-c. GREAT for CryptoLocker & Malware drops
-HARVEST::
-. REGISTRY: Watch for the creation or modification of new registry keys and values
-a. 4657 – Accesses: WriteData (or AddFile)
-i. HKLM, HKCU & HKU – Software\Microsoft\Windows\CurrentVersion
-. Run, RunOnce
-ii. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
-. Watch AppInit_Dlls
-iii. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
-. Watch Connection time of USB Devices
-iv. HKLM\System\CurrentControlSet\Services
-. Watch for NEW Services
-v. HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
-. Watch for NEW USB devices
-HARVEST::
-. FIREWALL: Windows Filtering Platform - Watch for
-Inbound and Outbound connections – Requires
-Windows Firewall to be enabled
-a. This is the noisiest of all Events. Generating
-easily 9,000 - 10,000 events per hour per system
-b. Storage is required to utilize this event
-c. 5156 – Message=The Windows Filtering
-Platform has permitted a connection. Look for:
-i. Direction:, Source Address:, Source
-Port:, Destination Address: &
-Destination Port:
-HARVEST::
-. REGISTRY: Monitor certain Keys for Add, Changes and
-Deletes. Setting auditing on the Specific keys is
-required.
-a. 4657 – A Registry value was modified
-HARVEST::
-. EMAIL / VPN: Monitor for failed and successful logins
-to your VPN and Webmail application. Consider
-emailing user if login is from a new IP not in your
-exclude list
-a. sc_status=401 – Failed OWA login
-b. "reason = Invalid password" – Failed VPN login
-- Cisco
-HARVEST::
-. LOGON TYPE: Monitor for what type of logons occur
-a. 4624 – Message=An account was successfully
-logged on.
-i. Type 2 – Interactive – GUI
-ii. Type 3 – Network – Net Use
-iii. Type 4 – Batch
-iv. Type 5 – Service
-v. Type 7 – Unlock
-vi. Type 8 – Network Clear Text
-vii. Type 9 – New Credentials (RDP Tools)
-viii. Type 10 – Remote Interactive (RDP)
-ix. Type 11 – Cached Interactive (laptops)
-b. 4625 – Message = An account failed to log on.
-HARVEST::
-. SYSTEM INTEGRITY: Watch for files with page images with
-bad hashes
-a. 6281 – Failed – “page hashes of an image file are
-not valid”
-</code>