An automated, continuous monitoring of Windows event logs is deployed with the capability to immediately alert the MSP of any unusual, suspicious or malicious activity performed on a SMB (small-medium-business) network.
Disclaimer: This document provides guidance for a list of recommended Windows event ID’s that MSPs (managed service providers) should be aware of when monitoring malicious and/or suspicious activity. This is not a complete list, nor should it be the only events to be monitored. Where no monitoring is in place, this list could be used as a getting started baseline. MSPs currently monitoring event data should view the guidance as a means to enhance their detection/alerting capability.
ThreatLack of monitoring event logs would cause the delay of detecting a security incident, and further damage to the SMB customer would not be prevented in a timely manner. Dwell time, also known as the detection gap, is the cybersecurity terminology to describe the period of time between the original day a hacker compromised the SMB and the actual detection of the compromise. The average dwell time for N. American SMB’s is 206 days.
GuidanceRocketCyber’s free Threat Hunting and Suspicious Event Log Monitor apps help MSP’s implement a continuous monitoring service that reduces the dwell time to near real-time that affect customers being serviced. The following Windows event ID’s are suggested to be monitored for most SMB networks:
Clearing Event Logs
Why – It’s highly unlikely that event log data would be cleared during normal operations of a SMB and its highly probable that an attacker is attempting to cover their technique. When a log is cleared, it is suspicious. Alerting on this event makes it harder for attackers to cover their tracks.
|1102||Audit log cleared||log-security||Microsoft-Windows-Eventlog|
Why – Monitoring local account usage can detect unauthorized activity in addition to Pass the Hash attacks. Users added to privileged groups, remote logins, and account lockouts are also suggested. Unauthorized accounts in a privileged group is a probable indicator that malicious activity has struck.
|4624||Successful user account login||log-security||Microsoft-Windows-Security-Auditing|
|4625||Failed user account login||log-security||Microsoft-Windows-Security-Auditing|
|4648||Account login with explicit credentials||log-security||Microsoft-Windows-Security-Auditing|
|4728, 4732||User added to privileged group||log-security||Microsoft-Windows-Security-Auditing|
|4735||Security-enabled group modification||log-security||Microsoft-Windows-Security-Auditing|
Kernel Driver Signing
Why – Kernel driver signing improves defenses against injection of malicious drivers and activity in the Windows kernel. The detection of a signed driver being tampered with, indicates malicious activity in most scenarios and requires immediate investigation.
|5038||Detection of invalid image hash of a file||log-security||Microsoft-Windows-Security-Auditing|
|6281||Detection of invalid page hash of an image file||log-security||Microsoft-Windows-Security-Auditing|
Remote Desktop Logon
Why – Remote desktop account activity often go unnoticed and commonly evade security operations. This is partially due to when an account remotely connects to the client, Windows generates a successful logon event. Today’s SMB workforce in most cases requires no remote desktop logon given the growth of employee laptops on the go and alternate technologies to access data/applications at the central office. While few businesses still have legit usage, most don’t, and any detected remote desktop login should be investigated.
|4634||Remote interactive login||log-security||Microsoft-Windows-Eventlog|
Monitoring Windows events log monitoring for suspicious activity will now help your MSP identify compromises that occur and reduces the dwell time with immediate notification. Although Windows generates a tedious volume of logging, the RocketApp-Event Log Monitor is designed to eliminate the noise and specifically focus on security events that are relevant for most SMB customers. Alternatively, the RocketApp-Threat Hunting now supports the detection of Windows events. Now you can have an evidence trail providing answers when an incident does occur on the windows system.