Uncovering Threats Using Windows Event Logs

Uncovering Threats Using Windows Event Logs

Uncovering Threats Using Windows Event Logs

Despite being around for decades, Windows Event Logging is still one of the most valuable (and underestimated) data sources available. It is also a prime example of how seemingly ‘old tech’ can be used to great effect by newer security solutions. Information collected via logged data spans a wide variety of application, system and security events, capturing everything from software installations through to failed login attempts. These may seem like inconspicuous tasks, but they are often the entry point for malicious code and threat actors.

At Options, we understand the critical importance of logged data and ingest large quantities of it using Splunk Forwarders, strategically placed throughout our platform. Event logs continue to play a fundamental role in helping us detect potential security threats and protect our estate. Reporting unusual behaviour across administrative and service accounts has allowed us to be proactive in our approach to the rising threat of cyber breaches and sophisticated hacking.

With relatively simple queries we are able to alert our internal teams to a number of common scenarios indicating possible attacks and vulnerabilities. In particular, if any changes occur to users in your privileged groups, such as Domain admins, we will be alerted immediately.

Spraying Attacks

This is a particularly popular method used by hackers to maximise the chances of gaining access to an account. It will try multiple usernames with a single and commonly misused password (for example Password123). As each username is only attempted once or twice its highly unlikely to trigger the AD lockout policy which could draw attention. For this type of attack, we need to monitor Event IDs 4625, 4771 and 4748 and the search below are used to detect this behaviour:

Brute-Force Attacks

Brute-Force attacks are one of the most popular hacking techniques as they apply a trial and error approach to account infiltration. The below search will help detect a successful brute force attack. Here we are comparing the number of login attempts by an account as well as the success and failure to login in a 5-minute period, which can be altered and analysed accordingly.

We also monitor the number of failed attempts per minute from each source IP using the below query:


This type of attack allows a hacker to start lateral movement across the network using the NTLM protocol without the need to re-enter the password. The NTLM protocol uses the NT hash for authentication and if the hash value is retrieved, authentication can be made without knowledge of the password. Malicious activity like this can be monitored by applying following Event Code:

Event ID 1102: The Event Log has been cleared

As we’ve demonstrated above, Windows Event Logs can give clear indication of threats and attacks, so naturally a hacker will attempt to clear their tracks. We will want to monitor any occurrence of the rare, yet critical Event Code, 1102, when an administrative account clears the windows audit log. Thankfully, we’ll already have all the logs in Splunk!

At Options, our goal is to address the cybersecurity challenge through a seamless blend of vanguard technology, training tools and engineering. From highlighting unusual or anomalous behaviour to providing the alerting tools necessary for swift and effective management of system irregularities, our continuously proactive approach gives clients lasting peace of mind.

Security doesn’t end with security tools; well-trained employees and a strong supporting security team are also essential. In 2019 we’ve substantially expanded our team and extended our global operational presence, rolling out rigorous training programs across the board alongside numerous platform security enhancements and the deployment of new cybersecurity initiatives to safeguard our clients’ data. For the latest on our Security, Intelligence and Analytics product offering, download our product sheet here.

Leave a Reply

Your email address will not be published. Required fields are marked *