This blog is all about Cyber Security and IT

Friday, November 30, 2018

Types of Windows Events

We have 5 types of security events in windows >

Error : When some kind of service failed to execute or there is some loss of information

Warning : This event is generated when there is some problem going to happen in future .  Like  disk space utilization message .

Information : This type of event is generated when there is some informative message , like application services are running accurately

Success audit : This type of  event generated when user successfully logged in to a system

Failure audit : When there is failure in login attempt .

Main security Events

IDLevelEvent LogEvent Source
App Error1000ErrorApplicationApplication Error
App Hang1002ErrorApplicationApplication Hang
WER1001InformationalApplicationWindows Error Reporting

Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage

IDLevelEvent LogEvent Source
Account Lockouts4740InformationalSecurityMicrosoft-Windows-Security-
User Added to Privileged Group4728, 4732, 4756InformationalSecurityMicrosoft-Windows-Security-
Security-Enabled group Modification4735InformationalSecurityMicrosoft-Windows-Security-
Successful User Account Login4624InformationalSecurityMicrosoft-Windows-Security-
Failed User Account Login4625InformationalSecurityMicrosoft-Windows-Security-
Account Login with Explicit Credentials4648InformationalSecurityMicrosoft-Windows-Security-

High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.


Post a Comment