Event Logs

These artifacts collect information related to the windows event logs.

Windows.EventLogs.AlternateLogon

Logon specifying alternate credentials - if NLA enabled on destination Current logged-on User Name Alternate User Name Destination Host Name/IP Process Name

Arg Default Description
securityLogFile C:/Windows/System32/Winevt/Logs/Security.evtx
View Artifact Source

Windows.EventLogs.DHCP

This artifact parses the windows dhcp event log looking for evidence of IP address assignments.

In some investigations it is important to be able to identify the machine which was assigned a particular IP address at a point in time. Usually these logs are available from the DHCP server, but in many cases the server logs are not available (for example, if the endpoint was visiting a different network or the DHCP server is on a wireless router with no log retention).

On windows, there are two types of logs:

  1. The first type is the admin log (Microsoft-Windows-Dhcp-Client%4Admin.evt). These only contain errors such as an endpoint trying to continue its lease, but the lease is rejected by the server.

  2. The operational log (Microsoft-Windows-Dhcp-Client%4Operational.evtx) contains the full log of each lease. Unfortunately this log is disabled by default. If it is available we can rely on the information.

Arg Default Description
eventDirGlob C:\Windows\system32\winevt\logs\
adminLog Microsoft-Windows-Dhcp-Client%4Admin.evtx
operationalLog Microsoft-Windows-Dhcp-Client%4Operational.evtx
accessor file
View Artifact Source

Windows.EventLogs.Kerbroasting

Description: This Artifact will return all successful Kerberos TGS Ticket events for Service Accounts (SPN attribute) implemented with weak encryption. These tickets are vulnerable to brute force attack and this event is an indicator of a Kerbroasting attack.

ATT&CK: T1208 - Kerbroasting Typical attacker methodology is to firstly request accounts in the domain with SPN attributes, then request an insecure TGS ticket for brute forcing. This attack is particularly effective as any domain credentials can be used to implement the attack and service accounts often have elevated privileges. Kerbroasting can be used for privilege escalation or persistence by adding a SPN attribute to an unexpected account.

Reference: The Art of Detecting Kerberoast Attacks Log Source: Windows Security Event Log (Domain Controllers) Event ID: 4769 Status: 0x0 (Audit Success) Ticket Encryption: 0x17 (RC4) Service Name: NOT krbtgt or NOT a system account (account name ends in $) TargetUserName: NOT a system account ($@)

Monitor and alert on unusual events with these conditions from an unexpected IP. Note: There are potential false positives so whitelist normal source IPs and manage risk of insecure ticket generation.

Arg Default Description
eventLog C:\Windows\system32\winevt\logs\Security.evtx
View Artifact Source

Windows.EventLogs.PowershellScriptblock

This Artifact will search and extract ScriptBlock events (Event ID 4104) from Powershell-Operational Event Logs.

Powershell is commonly used by attackers accross all stages of the attack lifecycle. A valuable hunt is to search Scriptblock logs for signs of malicious content.

There are several parameter’s availible for search leveraging regex.

  • dateAfter enables search for events after this date.
  • dateBefore enables search for events before this date.
  • SearchStrings enables regex search over scriptblock text field.
  • stringWhiteList enables a regex whitelist for scriptblock text field.
  • pathWhitelist enables a regex whitelist for path of scriptblock.
  • LogLevel enables searching on type of log. Default is Warning level which is logged even if ScriptBlock logging is turned off when suspicious keywords detected in Powershell interpreter.
Arg Default Description
eventLog C:\Windows\system32\winevt\logs\Microsoft-Win …
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ss Z
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ss Z
searchStrings regex search over scriptblock text field.
stringWhitelist Regex of string to witelist
pathWhitelist Regex of path to whitelist.
LogLevel Warning Log level. Warning is Powershell default bad keyword list.
View Artifact Source

Windows.EventLogs.ServiceCreationComspec

This Detection hts on the string “COMSPEC” (nocase) in Windows Service Creation events. That is: EventID 7045 from the System event log.

This detects many hack tools that leverage SCM based lateral movement including smbexec.

Arg Default Description
eventLog C:\Windows\system32\winevt\logs\System.evtx
accessor ntfs
View Artifact Source