It’s possible to use Windows 10 event logs to detect intrusions and malicious activity, but some knowledge of critical IDs is mandatory to avoid over-collection and other issues. This article will highlight the most important event IDs that you should monitor. As a side note, you can use these event logs to generate indicators of compromise that you can regularly assess to improve computer forensics and incident response.
Here are the event IDs to track.
Windows security event log ID 4688
Event 4688 documents each program (or process) that a system executes, along with the process that started the program. What’s intriguing about this event ID is that it logs any process that is created by a user or even spawned from a hidden process. For example, if there’s malware present on your Windows system, searching event 4688 will reveal any processes executed by that ill-intentioned program. Malicious activity red flags include child processes having a different parent process ID than the original process and processes that are executing elsewhere instead of C:Program Files or C:windowssystem32.
Additionally, you can get information about a user’s administrative privileges through the Token Elevation Type field. A Type 1 token refers to a “full token” with all privileges granted to that user account, such as when UAC (User Access Control) is disabled or when the user is in a service or built-in administrator account. Type 2 hints that an elevated token was issued through the “Run as administrator” option while the UAC was enabled. Type 3 is a limited token with no administrative groups or privileges. It’s issued when the user doesn’t launch a program using Run as administrative or when an application doesn’t require administrative privilege.
While event 4688 can tell you a lot, it should be used in conjunction (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dan Virgillito. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/zKeeUBiBZmQ/