Monitoring Windows Event Logs for Security Breaches

The Windows event logs hold a minefield of information, and in the last couple of Ask the Admin articles on the Petri IT Knowledgebase, How to Create Custom Views in Windows Server 2012 R2 Event Viewer and Query XML Event Log Data Using XPath in Windows Server 2012 R2, I demonstrated how to create custom views in Event Viewer to filter out unwanted noise.

Why You Should Monitor Windows Event Logs for Security Breaches

The ability to create custom views is only useful if you know what events might indicate an attempt to compromise your systems or an unsanctioned configuration change. In this Ask the Admin, I’ll outline some of the most important events that might indicate a security breach.

Change Control and Privilege Management

Before data in the event logs can become truly useful, it’s essential to exercise some governance over your server estate and establish who is allowed to change what, where, and when through tested business processes. When change control is implemented alongside privilege management, not only can you be more confident in maintaining stable and reliable systems, but it will be easier to identify malicious activity in the event logs.

The information in this article assumes that auditing has been configured according to Microsoft’s recommended settings in the Window Server 2012 R2 baseline security templates that are part of Security Compliance Manager (SCM). For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase.

Account Use and Management

Under normal operating circumstances, critical system settings can’t be modified unless users hold certain privileges, so monitoring for privilege use and changes to user accounts and groups can give an indication that an attack is underway. For example, the addition of users to privileged groups, such as Domain Admins, should correspond to a request for change (RFC). If you notice that a user has been added to a privileged group, you can check this against approved RFCs.

The Event Viewer User Account Management and Group Management task categories. When auditing is enabled on a member server, changes to local users and groups are logged, and on a domain controller changes to Active Directory. To enable auditing for user and group management, enable Audit Security Group Management and Audit User Account Management settings in Advanced Audit Policy. For more information on configuring audit policy, see Enable Advanced Auditing in Windows Server on Petri.

Additionally, you should check for the events listed in the table below:

Event Log Level ID Error Name Source
Security Informational 4740 Account Lockouts Microsoft-Windows-Security-Auditing
Security Informational 4728, 4732, 4756 User Added to Privileged Group Microsoft-Windows-Security-Auditing
Security Informational 4735 Security-Enabled Group Modification Microsoft-Windows-Security-Auditing
Security Informational 4724 Successful User Account Login Microsoft-Windows-Security-Auditing
Security Informational 4625 Failed User Account Login Microsoft-Windows-Security-Auditing
Security Informational 4648 Account Login with Explicit Credentials Microsoft-Windows-Security-Auditing

Application Hangs and Crashes

Frequent application hangs on crashes can indicate an attempt to disrupt service and other kinds of attack. As such, it’s prudent to monitor line of business applications for disruptions. Check the Application log for the following event IDs:

Event Log Level ID Error Name Source
Application Error 1000 App Error Application Error
Application Error 1002 App Hang Application Hang
Application Informational 1001 WER Windows Error Reporting
System Error 1001 BSOD Microsoft-Windows-WER-SystemErrorReporting

Event Logs and Audit Policy

If someone has cleared the event logs or changed audit policy, there’s a good chance that they’ve been trying to cover their tracks. As such, any such behaviour should ring alarm bells:

Event Log Level ID Error Name Source
System Informational 104 Event Log was Cleared Microsoft-Windows-EventLog
Security Informational 102 Audit Log was Cleared Microsoft-Windows-EventLog
System Informational 4719 System audit policy was changed Microsoft-Windows-EventLog

Group Policy and Windows Firewall

Configuration settings are usually managed on workstations and servers using Active Directory Group Policy, so any failure to apply policy or make unsanctioned changes to policy objects in AD could indicate a security issue. Additionally Windows Firewall provides an important line of defence, and any changes to firewall rules could signal an attempt to gain additional access to systems.

Event Log Level ID Error Name Source
System Error 1125 Internal Error Microsoft-Windows-GroupPolicy
System Error 1127 Generic Internal Error Microsoft-Windows-GroupPolicy
System Error 1129 Group Policy Application Failed due to Connectivity Microsoft-Windows-GroupPolicy
Windows Firewall WithAdvancedSecurity/Firewall Informational 2004 Firewall Rule Add Microsoft-Windows-Windows FirewallWith Advanced Security
Windows Firewall WithAdvancedSecurity/Firewall Informational 2005 Firewall Rule Change Microsoft-Windows-Windows FirewallWith Advanced Security
Windows Firewall WithAdvancedSecurity/Firewall Informational 2006, 2033 Firewall Rules Deleted Microsoft-Windows-Windows FirewallWith Advanced Security
Windows Firewall WithAdvancedSecurity/Firewall Error 2009 Firewall Failed to load Group Policy Microsoft-Windows-Windows FirewallWith Advanced Security