Hey there, fellow threat hunters! 👋 Today we're diving deep into the world of Windows Event IDs. And when I say deep, I mean it - grab your coffee, because we're going to explore everything from basic authentication events to advanced Active Directory monitoring. Whether you're securing a small business or a large enterprise, understanding these events is crucial for detecting threats in your environment.

Table of Contents

• Prerequisites and Setup
• Basic Security Events
• Domain Controller & Active Directory Monitoring
• User Behavior Analytics
• Policy Changes and Their Impact
• Compliance and ISO 27001
• Setting Up Proper Monitoring
• Analysis Techniques and Scripts

Prerequisites and Setup - Before We Dive In

Before we start hunting through Event IDs, let's make sure we have everything configured correctly. Trust me, there's nothing worse than missing critical events because of improper setup! 🔧

1. System Requirements

First, let's ensure our systems meet these basic requirements:

Minimum Event Log Sizes:

• Security: 4GB (crucial for security monitoring)
• Application: 1GB
• System: 1GB
• PowerShell Operational: 1GB (for script block logging)

Operating System Requirements:

• Windows Server 2016 or later (for Domain Controllers)
• Windows 10/11 Enterprise (for workstations)
• Latest Windows Updates installed
• PowerShell 5.1 or later

2. Audit Policy Setup

Let's configure our audit policies properly. Here's what you'll need to do:

Via Group Policy (Recommended Method): 

1. Open Group Policy Management Console

2. Create a new GPO or edit an existing one

3. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration

Essential Policy Settings to Enable:

# PowerShell command to verify current settings
auditpol /get /category:*

Required Categories (enable both Success and Failure):

• Account Logon
• Account Management
• Detailed Tracking
• DS Access Logon/Logoff
• Object Access
• Policy Change
• Privilege Use
• System

Group Policy Settings Walkthrough: 

1. Account Logon Auditing:

Computer Configuration →
    Windows Settings →
        Security Settings →
            Advanced Audit Policy →
                Account Logon
                    √ Audit Credential Validation (Success and Failure)
                    √ Audit Kerberos Authentication Service (Success and Failure)
                    √ Audit Kerberos Service Ticket Operations (Success and Failure)

2. Object Access Auditing:

Computer Configuration →
    Windows Settings →
        Security Settings →
            Advanced Audit Policy →
                Object Access
                    √ Audit File System (Success and Failure)
                    √ Audit Registry (Success and Failure)
                    √ Audit Handle Manipulation (Success and Failure)

3. Initial Setup Steps

Let's configure everything step by step:

1. Configure Log Sizes:

# Run PowerShell as Administrator
# Security Log (4GB)
wevtutil sl Security /ms:4294967296

# Application Log (1GB)
wevtutil sl Application /ms:1073741824

# System Log (1GB)
wevtutil sl System /ms:1073741824

# PowerShell Operational Log (1GB)
wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:1073741824

2. Enable PowerShell Logging:

# Enable Script Block Logging
$regPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
New-Item -Path $regPath -Force
Set-ItemProperty -Path $regPath -Name "EnableScriptBlockLogging" -Value 1

# Enable Module Logging
$regPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"
New-Item -Path $regPath -Force
Set-ItemProperty -Path $regPath -Name "EnableModuleLogging" -Value 1

3. Configure Group Policy Templates: 

Download and install the latest Administrative Templates (.admx) for your Windows version from Microsoft. Then:

1. Copy the .admx files to: `C:\Windows\PolicyDefinitions`
2. Copy the .adml files to: `C:\Windows\PolicyDefinitions\en-US`
3. Configure via Group Policy Management Editor:

Computer Configuration →
    Administrative Templates →
        Windows Components →
            Windows PowerShell
                √ Turn on Module Logging
                √ Turn on PowerShell Script Block Logging
                √ Turn on PowerShell Transcription

4. Verification Steps

After setup, verify everything is working correctly:

1. Check Audit Policy Configuration:

# Check all audit policies
auditpol /get /category:*

# Check specific category
auditpol /get /category:"Object Access"

2. Verify Log Sizes:

# Check all log sizes
Get-WinEvent -ListLog * | Where-Object {$_.RecordCount -gt 0} |
    Select-Object LogName, MaximumSizeInBytes, RecordCount |
    Sort-Object MaximumSizeInBytes -Descending |
    Format-Table -AutoSize

3. Test Event Generation:

# Try to generate a test event
Write-EventLog -LogName Application -Source "Application" -EventId 1000 -Message "Test event"

# Verify PowerShell logging
$testScript = "Write-Host 'Testing script block logging'"
Invoke-Expression $testScript

5. Troubleshooting Common Issues

If you run into problems, check these common issues:

Issue: Events Not Being Logged 

• Verify audit policies are applied: `gpresult /H report.html`
• Check event log service is running: `Get-Service EventLog`
• Verify log size limits aren't reached

Issue: Policy Not Applying 

• Run: `gpupdate /force`
• Check Group Policy inheritance
• Verify security filtering

⚠️ Important Notes:

1. Performance Impact

• Large log sizes can impact system performance
• Heavy auditing may affect system resources
• Consider storage requirements for long-term logging

2. Security Considerations

• Don't disable logs during maintenance
• Monitor log clearing events (Event ID 1102)
• Regular backup of event logs is recommended

3. Maintenance

• Regularly archive old logs
• Monitor available disk space
• Review and adjust log sizes as needed

Once you've completed all these steps, you're ready to start monitoring those Event IDs we'll discuss next! 👍

1. Basic Security Events - The Foundation

Before we dive into the advanced stuff, let's establish our baseline. These are the events you absolutely must monitor:

Authentication Events:

• 4624 - Successful logon
• 4625 - Failed logon
• 4634 - Logoff
• 4647 - User initiated logoff
• 4648 - Explicit credential logon
• 4672 - Special privileges assigned

Quick Detection Script:

$startTime = (Get-Date).AddHours(-1)
$failedLogons = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4625
    StartTime = $startTime
} -ErrorAction SilentlyContinue | 
Select-Object TimeCreated,
    @{N='Username';E={$_.Properties[5].Value}},
    @{N='Source';E={$_.Properties[2].Value}},
    @{N='Status';E={$_.Properties[7].Value}},
    @{N='SubStatus';E={$_.Properties[9].Value}}

$failedLogons | Group-Object Source | 
    Where-Object {$_.Count -gt 5} |
    Select-Object Name,Count

2. Domain Controller & Active Directory Events - The Crown Jewels

Your Domain Controllers are the heart of your network. Here's what to watch:

Directory Service Events:

• 4662 - An operation was performed on an object
• 4741 - A computer account was created
• 4742 - A computer account was changed
• 4743 - A computer account was deleted
• 5136 - A directory service object was modified
• 5137 - A directory service object was created
• 5138 - A directory service object was undeleted
• 5139 - A directory service object was moved
• 5141 - A directory service object was deleted

Critical AD Changes to Monitor:

• Schema modifications (Event ID 5137 with specific object classes)
• SYSVOL changes
• Domain Trust modifications
• AD database changes
• FSMO role changes

AD Monitoring Script:

# Monitor for sensitive AD changes
$criticalADEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = @(5136,5137,5138,5139,5141)
    StartTime = (Get-Date).AddDays(-1)
} | Select-Object TimeCreated,ID,
    @{N='ObjectDN';E={$_.Properties[5].Value}},
    @{N='ObjectClass';E={$_.Properties[6].Value}},
    @{N='Modifier';E={$_.Properties[1].Value}}

# Look for modifications to sensitive groups
$sensitiveGroups = @('Domain Admins','Enterprise Admins','Schema Admins')
$criticalADEvents | Where-Object {
    $sensitiveGroups | ForEach-Object {
        $group = $_
        $_.ObjectDN -like "*$group*"
    }
}

3. Group Policy Changes - The Silent Configuration Manager

Group Policy changes can have wide-reaching effects. Monitor these events:

Group Policy Events:

• 4706 - A new trust was created to a domain
• 4707 - A trust to a domain was removed
• 4739 - Domain Policy was changed
• 5136 - GPO modification (when targeting GP containers)
• 5137 - GPO creation
• 5141 - GPO deletion

GPO Change Monitoring:

# Monitor GPO Changes
$gpoEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = @(5136,5137,5141)
    StartTime = (Get-Date).AddHours(-24)
} | Where-Object {
    $_.Properties[5].Value -like "*CN=Policies,CN=System*"
} | Select-Object TimeCreated,ID,
    @{N='GPO';E={$_.Properties[5].Value}},
    @{N='User';E={$_.Properties[1].Value}}

4. User Behavior Analytics - The Human Element

Understanding normal vs. abnormal user behavior is crucial.

Here's what to track: User Activity Events:

• 4688 - Process creation
• 4689 - Process termination
• 4663 - File system/registry access attempt
• 4657 - Registry value modification
• 4698 - Scheduled task creation
• 4699 - Scheduled task deletion
• 4702 - Scheduled task updated

PowerShell Activity:

• 4103 - Module logging
• 4104 - Script block logging
• 4105 - Command start
• 4106 - Command stop

Behavior Analysis Script:

# Track unusual process creation patterns
$processes = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
    StartTime = (Get-Date).AddHours(-4)
} | Select-Object TimeCreated,
    @{N='User';E={$_.Properties[1].Value}},
    @{N='Process';E={$_.Properties[5].Value}},
    @{N='CommandLine';E={$_.Properties[8].Value}}

# Group by user and process to find unusual patterns
$processes | Group-Object User | ForEach-Object {
    $user = $_.Name
    $userProcesses = $_.Group | Group-Object Process
    
    $unusualCount = $userProcesses | Where-Object {
        $_.Count -gt 10
    }
    
    if ($unusualCount) {
        Write-Warning "User $user has suspicious process patterns:"
        $unusualCount | Format-Table Name,Count
    }
}

5. Application Execution Monitoring - Know What's Running

Monitor application execution with these events:

Application Events:

• 4688 - Process creation (with command line tracking)
• 3001 - AppLocker policy applied
• 8002 - AppLocker exe/dll allowed
• 8003 - AppLocker exe/dll denied
• 8004 - AppLocker script allowed
• 8005 - AppLocker script denied

Advanced Process Tracking:

# Track processes with command line arguments
$suspiciousCommands = @(
    'powershell.exe.*encode',
    'cmd.exe.*/c',
    '.*bypass.*',
    'certutil.*-urlcache',
    'bitsadmin.*transfer'
)

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
    StartTime = (Get-Date).AddHours(-12)
} | Where-Object {
    $cmdLine = $_.Properties[8].Value
    $suspiciousCommands | ForEach-Object {
        $pattern = $_
        if ($cmdLine -match $pattern) { return $true }
    }
} | Select-Object TimeCreated,
    @{N='User';E={$_.Properties[1].Value}},
    @{N='CommandLine';E={$_.Properties[8].Value}}

6. Local Policy Changes - The System Configuration

Track changes to local security policies:

Policy Change Events:

• 4719 - System audit policy was changed
• 4907 - Auditing settings on object were changed
• 4912 - Per user audit policy was changed
• 4713 - Kerberos policy was changed
• 4717 - System security access was granted to an account
• 4718 - System security access was removed from an account
• 4739 - Domain Policy was changed

Policy Monitoring Script:

# Monitor security policy changes
$policyChanges = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = @(4719,4907,4912,4713)
    StartTime = (Get-Date).AddDays(-1)
} | Select-Object TimeCreated,ID,
    @{N='User';E={$_.Properties[1].Value}},
    @{N='Category';E={$_.Properties[3].Value}},
    @{N='Change';E={$_.Properties[4].Value}}

# Alert on critical changes
$policyChanges | Where-Object {
    $_.Category -match 'Audit|Privilege|Token'
} | Format-Table -AutoSize

7. ISO 27001 Alignment - Meeting Compliance

ISO 27001 requires monitoring of specific activities. Here's how to align your monitoring:

A.9 Access Control: 

• Monitor events 4624, 4625 (authentication)
• Track 4720, 4722, 4723 (account management)
• Log 4728, 4732, 4756 (group membership changes)

A.12 Operations Security: 

• Monitor events 4688, 4689 (process execution)
• Track 4663, 4656 (file access)
• Log 5140 (network share access)

A.12.4 Logging Requirements:

• User activities (4624, 4634)
• Privileged operations (4672, 4673)
• System exceptions (1000, 1001)
• Security events (4625, 4648)

ISO 27001 Compliance Check Script:

# Basic ISO 27001 compliance check
$isoEvents = @{
    'Authentication' = @(4624,4625)
    'Account_Management' = @(4720,4722,4723)
    'Privileged_Access' = @(4672,4673)
    'System_Changes' = @(4688,4689)
}

$report = foreach ($category in $isoEvents.Keys) {
    $events = Get-WinEvent -FilterHashtable @{
        LogName = 'Security'
        ID = $isoEvents[$category]
        StartTime = (Get-Date).AddDays(-7)
    } -ErrorAction SilentlyContinue
    
    [PSCustomObject]@{
        Category = $category
        EventCount = $events.Count
        LastEvent = ($events | Select-Object -First 1).TimeCreated
        Status = if($events.Count -gt 0){'Logging Active'}else{'No Logs Found'}
    }
}

$report | Format-Table -AutoSize

Best Practices for Implementation

1. Log Size Management:

# Increase log size to 4GB
wevtutil sl Security /ms:4294967296
wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:1073741824

2. Audit Policy Configuration:

# Configure advanced audit policy
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Account Management" /success:enable /failure:enable
auditpol /set /category:"DS Access" /success:enable /failure:enable
auditpol /set /category:"Object Access" /success:enable /failure:enable
auditpol /set /category:"Policy Change" /success:enable /failure:enable
auditpol /set /category:"Privilege Use" /success:enable /failure:enable
auditpol /set /category:"System" /success:enable /failure:enable

3. PowerShell Logging:

# Enable via Registry
$regPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
New-Item -Path $regPath -Force
Set-ItemProperty -Path $regPath -Name "EnableScriptBlockLogging" -Value 1

Common Attack Patterns to Watch

1. Golden Ticket Attacks: 

• Multiple 4624 events with NTLM authentication
• Service account authentication outside business hours
• Unusual TGT request patterns

2. DCSync Attacks: 

• Event ID 4662 with specific GUID {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}
• Replication requests from non-DC machines

3. Kerberoasting: 

• Multiple 4769 events with RC4 encryption
• Service ticket requests for multiple services from single account

4. Living Off The Land: 

• PowerShell/WMI events outside normal patterns
• LOLBAS tool execution (certutil.exe, bitsadmin.exe, etc.)

Pro Tips

1. Performance Considerations: 

• Use targeted event collection
• Implement log rotation
• Consider event forwarding for centralized collection

2. False Positive Management: 

• Baseline normal activity first
• Create allow lists for known good behavior
• Document maintenance windows

3. Incident Response Integration: 

• Create automated alerts for critical events
• Maintain event correlation rules
• Document investigation procedures

Wrapping Up

Remember, effective event monitoring is more than just collecting logs - it's about understanding what's normal in your environment and quickly spotting what isn't. Start with the basics and gradually expand your monitoring as you better understand your environment's patterns. Stay safe, and happy hunting! 🕵️‍♂️ P.S. Want to learn about integrating these events with an ELK stack? Stay tuned for our next post!