Windows Incident Detection

Owned by Steve Challans
Last updated: Sept 18, 2019
5 min read


This dashboard allows the security team to review the environment and look for indicators of compromise and malicious activity. There are many reporting elements covering key aspects of a windows environment.  At Snare we have always advised our clients to collect logs not just from servers but also desktops. There have been many whitepapers in the industry from Microsoft, SANs, CIS, PCI DSS, ISO27001, HiPAA, ASD top 35, NIST etc that recommend customers collect logs from all sources to look for malicious and unauthorised activity.  A common aspect that if often overlooked is a desktop system or servers even when domain connected.  Activity can occur on these systems and the logs never go to the domain controllers. As with the other dashboards all the elements on the dashboard can be clicked on to filter more and then drill through at the bottom of the screen.

The following dashboard elements are provided to highlight the following:

  • Audit Policy Changed - changes to the systems audit policy could be the result of malware or other malicious activity if it was not authorised change. hackers and other malware often want to disable auditing to mask their tracks while stealing data or installing their own root kits on systems to capture passwords or other sensitive data. 
  • Local Accounts added to Administrators group - hackers and malware will try and add back door admin access to systems so the can come back later and just login as a local admin. Local accounts do not log to domain controllers like a regular domain account does. If you don't collect the logs from the local server or desktop then valuable forensic information can be lost and hackers can gain a foothold on the network with no one knowing. 
  • Login type 3 and type 10 - these logs relate to remote access to the system. Looking for unusual host to host based logins can be a symptom of lateral movement around the network from a hacker. by reviewing the same user logging or unusual accounts being used to login over many hosts if not expected could be the result of a hacker on the network. 
  • Privilege Escalation - in some cases a user may need to use the runas option to run a command using a higher privilege than they currently have. Sometimes UAC will prompt for this other times the user will need to use an account that has more privileges than they currently do. This activity will raise specific events which can be collected and reported on. When a hacker is on the network they will always try and gain as much access as they can to steal information or load a Trojan or backdoor on the network to allow them to gain access on demand. There are also various attacks that use "pass the hash" to gain access when they don't have the password but use the stolen password hash to then gain the access using an exploit or bug in the operating system. 
  • Scheduled tasks was created - this activity can mean a hacker has placed a task that will run at their desired interval to perform any malicious action they desire. This could be to ensure their backdoor remains in place even once it was removed or the implement a time bomb of performing some malicious activity like deleting files or encrypting data like Ransomware does.  Detecting any unauthorised tasks being added helps to provide early detection of unauthorised activity.
  • Services was installed - this can be the result of installing approved or unauthorised software. If you can see services that are being installed of unauthorised software it maybe the result of malware or hackers on the network.
  • Startup Run Tasks Alert - Similar to scheduled tasks if a task is set to run at a system startup then it could be part of some malware on the system.
  • Window File Protection Events - Windows will generate a specific event 64004 when it detects one or more of the protected operating system files being changed. Windows file protection services monitors critical system files such as executable (. exe) and dynamic link libraries (.dll) and attempts to prevent unauthorised software  from modifying or replacing these files. The windows file protection service will generate a wining if it detects a change to a critical system file and is unable to restore it to a known good state. 
  • Application Crash - Application crashes can be symptoms of a problem with a program or that its something it attempting to tamper with the programs operation. When other malicious software attempts to perform an buffer overrun or change a system processes memory it may crash the target application. Repeated failures can be an indication of an attack if the program was not known to have a problem. Privilege escalation or access to sensitive data is often the reason why the application may be under attack. Crashes from applications such as Adobe Flash, Microsoft Office tools, PDF documents, zip files in emails etc maybe indications of attacks from Spear Phishing where the user clicked on an email link and a malicious payload was downloaded an tried to run and attempted a buffer over flow attack. Attacks from an Advanced Persistent Threat (APT) can often show up as this in the system logs. 
  • EMET Failures - Another method to detecting Spear Phishing attacks is to deploy the Enhanced Mitigation Tookkit (EMET). EMET is free form Microsoft and used to aid in the prevention of many common memory manipulation based attacks. https://support.microsoft.com/en-au/help/2458544/the-enhanced-mitigation-experience-toolkit . When EMET detects an attack it crashes the application to prevent the exploit from being successful. EMET will log this activity as an error message (Event ID 2) in the system log.  Microsoft does not provide any central reporting tool for EMET logs so a customer has to use a SIEM tool like Snare to collect these logs and report on malicious activity. 
  • Protection disabled - one of the ways that malware tries to protect itself is to disable the Antivirus/malware/HIDS/HIPS protection software if it can. AV/HIDS/HIPS is sometimes susceptible with vulnerabilities and since it usually runs with super user privileges to scan the system it can also be a target for malware to attack. Various event IDs can be generates for disabling the system protection services such as 7034, 7035, 7036, 7040. Linking multiple service types even the logging agents stopping at the same or similar time can be an indication of attempted compromise. 


v2 dashboardsÂ