Updated: 2020-08-04 - EventID 4661

Windows Security Event Log best practices

The Windows Security Event Log is a valuable source for identifying attackers as well as monitoring anomalies within a Windows domain.

Again and again I find that there is no clear recommendation as to which events should actually be monitored, or which events can be avoided. In the following I will try to shed some light on the subject and summarize various recommendations from different sources and personal experience.

From the role of the security analyst it is always a demand to see as much as possible in a log. However, the balancing act to the resources that are available must be formed. Especially a detailed Windows Security Event Log quickly breaks any available license volume.

In this context it should also be pointed out again that for a complete monitoring not only the Windows Security Event Logs of the servers (Domain Controller) are required, but also those of the clients. For example to investigate attacks like “Golden Ticket” or different lateral movement scenarios.

Please note, the following recommendations are based on personal experience. Always evaluate first on the basis of your individual Threat Model whether you need events after all.

Event IDs to Exclude

If you do not know which events are necessary, it is a good idea to exclude the events you do not want at all.

4627 - Group membership information
4634 - User Logoff
4658 - The handle to an object was closed (use 4656 handle opened)
4689 - A process exited (use 4688 process create)
4703 - A token right was adjusted
4985 - The state of a transaction has changed
4661 - A handle to an object was requested

A comprehensive guide to blacklisting, including removing the Windows Event Description, can be found at Hurrican Labs - Hurrican Labs - Leveraging Windows Event Log Filtering and Design Techniques in Splunk. The blog is a general inspiration for logging best practices.

Furthermore it is possible to filter events of certain high volume accounts. But you should always take care to filter as explicit as possible. For example the logon type or the error code should be taken into consideration.

Highly Recommended Events

As a rule, these events should not occur at all. It is therefore all the more important to monitor them and to alert if they do occur.

To make the search even more detailed, machine accounts (AccountName=*$) can be excluded.

1102 - The audit log was cleared
4618 - A monitored security event pattern has occurred
4649 - A replay attack was detected
4719 - System audit policy was changed
4765 - SID History was added to an account
4766 - An attempt to add SID History to an account failed
4794 - An attempt was made to set the Directory Services Restore Mode
4897 - Role separation enabled
4964 - Special groups have been assigned to a new logon
5124 - A security setting was updated on the OCSP Responder Service

Source: Microsoft

Common Events

The following events give an insight into each Windows domain. Again, it is recommended to deal with the particular event, especially since each event can have different attributes.

Especially with regard to the events for the Windows Firewall, it is important to decide individually.

4624 - An account was successfully logged on (note Logon Type / Error Code)
4648 - A logon was attempted using explicit credentials
4656 - A handle to an object was accessed (counterpart to blacklisted 4658)
4657 - A registry value was modified
4672 - Special privileges assigned to new logon
4673 - A privileged service was called (e.g. credential harvesting)
4688 - A new process has been created (especially on Domain Controllers)
4698 - A scheduled task was created
4720 - A user account was created
4724 - An attempt was made to reset an accounts password
4735 - A security-enabled local group was changed
4738 - A user account was changed
4768 - A Kerberos authentication ticket was requested
4769 - A Kerberos service ticket was requested (e.g. for Kerberoasting attack, note result codes)
4771 - Kerberos pre-authentication failed (e.g. for Kerberos spraying attack)
4776 - The domain controller attempted to validate the credentials for an account
5140 - A network share object was accessed (Windows Firewall)
5145 - A network share object was checked (Indicates if access to file share was allowed or not)
5156 - The Windows Filtering Platform has allowed a connection (Window Firewall)

Source:

Conclusion

The article does not claim to be complete. Also I will try to make regular updates. I already know that I have not yet considered some valuable sources.

If you’re wondering what to do with all these events, the Malware Archaeology Cheat Sheets and the Splunk Security Essentials App provide you with some starting points. I can also highly recommend watching the Splunk Blogs.