Windows Event Log Analysis

 

1.      Event Log Format....

Event IDs have several fields in common:

• Log Name: The name of the Event Log where the event is stored. Useful when processing numerous logs pulled from the same system. 

• Source: The service, Microsoft component or application that generated the event.

• Event ID: A code assigned to each type of audited activity. 

• Level: The severity assigned to the event in question.

• User: The user account involved in triggering the activity or the user context that the source was running as when it logged the event. Note that this field often indicates “System” or a user that is not the cause of the event being recorded.

• OpCode: Assigned by the source generating the log. It’s meaning is left to the source.

• Logged: The local system date and time when the event was logged. 

• Task Category: Assigned by the source generating the log. It’s meaning is left to the source. 

• Keywords: Assigned by the source and used to group or sort events. 

• Computer: The computer on which the event was logged. This is useful when examining logs collected from multiple systems, but should not be considered to be the device that caused an event (such as when a remote logon is initiated, the Computer field will still show the name of the system logging the event, not the source of the connection).

• Description: A text block where additional information specific to the event being logged is recorded. This is often the most significant field for the analyst. 

   2.       Account Management Events....

4720 :-  A user account was created. 
4722 :- A user account was enabled. 
4723 :- A user attempted to change an account’s password. 
4724 :- An attempt was made to reset an account’s password. 
4725 :- A user account was disabled. 
4726 :- A user account was deleted. 
4727 :- A security-enabled global group was created.
4728 :- A member was added to a security-enabled global group. 
4729 :- A member was removed from a security-enabled global group. 
4730 :- A security-enabled global group was deleted. 
4731 :- A security-enabled local group was created. 
4732 :- A member was added to a security-enabled local group. 
4733 :- A member was removed from a security-enabled local group.
4734 :- A security-enabled local group was deleted.
4735 :- A security-enabled local group was changed.
4737 :- A security-enabled global group was changed. 
4738 :- A user account was changed. 
4741 :- A computer account was created. 
4742 :- A computer account was changed.
4743 :- A computer account was deleted. 
4754 :- A security-enabled universal group was created.
4755 :- A security-enabled universal group was changed. 
4756 :- A member was added to a security-enabled universal group. 
4757 :- A member was removed from a security-enabled universal group. 
4758 :- A security-enabled universal group was deleted. 
4798 :- A user’s local group membership was enumerated. Large numbers of these events may be indicative of adversary account enumeration. 
4799 :- A security-enabled local group membership was enumerated. Large numbers of these events may be indicative of adversary group enumeration. 

Coming Soon.....