You now understand Windows architecture, authentication, file systems, the registry, PowerShell, and Active Directory. This lesson focuses on the defensive side: how Windows records security-relevant events, how to configure auditing, and how to detect the attacks you have been learning about through event log analysis.
A security professional who cannot read Windows event logs is like a doctor who cannot read X-rays. The evidence of compromise is almost always in the logs โ if you know where to look.
Windows uses a structured event logging system. Events are stored in .evtx files and organized into channels (logs). The most important logs for security are:
| Log Name | Location | Purpose | Key Event IDs |
|---|---|---|---|
| Security | Security.evtx | Authentication, authorization, policy changes | 4624, 4625, 4648, 4672, 4720, 4728, 4732 |
| System | System.evtx | System-level events, service starts/stops | 7045 (new service), 7036 (service state change) |
| Application | Application.evtx | Application events and errors | Varies by application |
| PowerShell Operational | Microsoft-Windows-PowerShell/Operational | PowerShell execution details | 4103 (module logging), 4104 (script block logging) |
| Sysmon | Microsoft-Windows-Sysmon/Operational | Advanced system monitoring | 1 (process create), 3 (network connect), 7 (image load), 8 (create remote thread) |
| Windows Defender | Microsoft-Windows-Windows Defender/Operational | Defender detections | 1116 (detection), 1117 (action taken) |
| LSA Operational | Microsoft-Windows-LSA/Operational | LSA authentication events | Credential validation, package loading |
# List all available event logs
Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 0 } |
Select-Object LogName, RecordCount, FileSize, LastWriteTime |
Sort-Object RecordCount -Descending | Format-Table -AutoSize
# Get the size and configuration of the Security log
Get-WinEvent -ListLog Security | Select-Object LogName, MaximumSizeInBytes, FileSize, RecordCount, LogMode
# Increase Security log size (default is often 20MB โ too small)
wevtutil sl Security /ms:1073741824 # Set to 1GB
# Clear a log (useful in lab environments)
wevtutil cl SecurityThe Security log is the most important log for detecting attacks. Here are the event IDs every security professional must know:
| Event ID | Description | Attack Detection Use |
|---|---|---|
| 4624 | Successful logon | Detect unusual logon times, types, or source IPs |
| 4625 | Failed logon | Brute-force detection; account lockout threshold monitoring |
| 4648 | Logon with explicit credentials | Detect Pass-the-Hash, credential forwarding, or lateral movement |
| 4672 | Special privileges assigned | Detect privilege escalation; admin logon monitoring |
| 4688 | Process creation | Detect malicious process execution (requires command line logging) |
| 4697 | Service installed | Detect persistence via new service installation |
| 4720 | User account created | Detect unauthorized account creation (backdoor accounts) |
| 4728 | Member added to security-enabled global group | Detect privilege escalation via group membership |
| 4732 | Member added to security-enabled local group | Detect local admin group modifications |
| 4768 | Kerberos TGT requested | Detect Kerberoasting (RC4 encryption type), unusual TGT requests |
| 4769 | Kerberos service ticket requested | Detect Kerberoasting (Event ID 4769 with RC4 and specific services) |
| 4771 | Kerberos pre-authentication failed | Detect brute-force or AS-REP Roasting attempts |
| 4776 | NTLM authentication | Detect NTLM relay or brute-force attempts |
| 5140 | Network share accessed | Detect lateral movement via SMB shares |
| 1102 | Audit log cleared | Detect log tampering (attacker covering tracks) |
Default Windows auditing is insufficient for security monitoring. You must configure Advanced Audit Policy via Group Policy or local security policy:
# View current audit policies
auditpol /get /category:*
# Configure critical audit policies via command line
# Logon/Logoff auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
# Account management auditing
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable
# Process tracking (for Event ID 4688 with command line)
auditpol /set /subcategory:"Process Creation" /success:enable
# Enable command line in process creation events (critical for detecting attacks)
# Via Group Policy: Computer Config > Admin Templates > System > Audit Process Creation
# Or via registry:
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
-Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWord -Force
# PowerShell Script Block Logging (from previous lesson)
# Also enable Module Logging:
$modulePath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging"
New-Item -Path $modulePath -Force
Set-ItemProperty -Path $modulePath -Name "EnableModuleLogging" -Value 1
$moduleNames = "$modulePath\ModuleNames"
New-Item -Path $moduleNames -Force
Set-ItemProperty -Path $moduleNames -Name "*" -Value "*" # Log all modules๐ก Enabling command line logging in process creation events (Event ID 4688) is one of the most impactful security configurations you can make. Without it, you see that a process started but not what command was executed. With it, you see the full command line โ including arguments, encoded commands, download cradles, and other attacker techniques that would otherwise be invisible.
Let us map the attacks you have learned about to specific event log detections:
# === DETECT PASS-THE-HASH ===
# Look for Event ID 4624 with Logon Type 3 (network) and NTLM authentication
# from unusual source workstations
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 100 |
Where-Object { $_.Message -match 'Logon Type:\s+3' -and $_.Message -match 'NTLM' } |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[5].Value}},
@{N='SourceIP';E={$_.Properties[18].Value}},
@{N='LogonType';E={$_.Properties[8].Value}}
# === DETECT KERBEROASTING ===
# Event ID 4769 with RC4 encryption (Ticket Encryption Type 0x17)
# and multiple requests in a short time
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} -MaxEvents 200 |
Where-Object { $_.Message -match 'Ticket Encryption Type:\s+0x17' } |
Group-Object { $_.Properties[0].Value } |
Where-Object { $_.Count -gt 5 } |
Select-Object Name, Count | Sort-Object Count -Descending
# === DETECT DCSYNC ===
# Event ID 4662 with replication GUID properties
# Look for non-DC accounts performing directory replication
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} -MaxEvents 500 |
Where-Object {
$_.Message -match 'Replicating Directory Changes' -and
$_.Message -notmatch 'NT AUTHORITY|DC01|DC02' # Exclude known DCs
} | Select-Object TimeCreated, Message
# === DETECT GOLDEN TICKET ===
# Event ID 4768 with unusually long ticket lifetime
# or TGTs for accounts that don't normally request them
# Also: Event ID 4624 with Logon Type 9 (new credentials) from unusual sources
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} -MaxEvents 100 |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[0].Value}},
@{N='SourceIP';E={$_.Properties[6].Value}}
# === DETECT LSASS ACCESS (CREDENTIAL DUMPING) ===
# Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe
# with specific access rights (0x1010, 0x1FFFFF, 0x1F3FFF)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=10} -MaxEvents 200 |
Where-Object { $_.Message -match 'lsass.exe' } |
Select-Object TimeCreated,
@{N='SourceProcess';E={$_.Message -match 'SourceImage.*?([A-Za-z\\\.]+)' | Out-Null; $Matches[1]}},
@{N='AccessMask';E={$_.Message -match 'Granted Access:\s+(0x[0-9A-F]+)' | Out-Null; $Matches[1]}}
# === DETECT LOG CLEARING ===
# Event ID 1102 โ the audit log was cleared (attacker covering tracks)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102} -MaxEvents 10โ ๏ธ The output above shows sql_service with 23 RC4 service ticket requests in a short time window. This is highly indicative of a Kerberoasting attack. The attacker is requesting service tickets for accounts with SPNs and attempting to crack them offline. The sql_service account should be investigated immediately โ check if its password is weak or if it has been compromised. Also investigate the source IP of these requests.
Sysmon (System Monitor) is Microsoft's free, powerful system monitoring tool that extends Windows event logging. It is considered essential for any security monitoring program:
| Sysmon Event ID | Description | Security Value |
|---|---|---|
| 1 | Process Creation | Full command line, parent process, hashes โ detect malicious execution |
| 3 | Network Connection | Outbound connections โ detect C2 communication |
| 7 | Image Loaded | DLL loading โ detect DLL injection, sideloading |
| 8 | CreateRemoteThread | Thread injection โ detect process injection techniques |
| 10 | Process Access | LSASS access โ detect credential dumping |
| 11 | File Created | File creation โ detect dropped malware |
| 12/13/14 | Registry Events | Registry modifications โ detect persistence |
| 15 | FileCreateStreamHash | ADS creation โ detect alternate data streams |
| 19/20/21 | WMI Events | WMI activity โ detect WMI-based persistence/execution |
| 22 | DNS Query | DNS resolution โ detect C2 domain lookups |
<!-- Example Sysmon config snippet for detecting LSASS access -->
<!-- Save as sysmonconfig.xml and install with: sysmon64 -accepteula -i sysmonconfig.xml -->
<Sysmon schemaversion="4.70">
<EventFiltering>
<!-- Detect processes accessing LSASS (credential dumping) -->
<RuleGroup name="LSASS Access" groupRelation="or">
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
</ProcessAccess>
</RuleGroup>
<!-- Detect process injection (CreateRemoteThread) -->
<RuleGroup name="Process Injection" groupRelation="or">
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
</CreateRemoteThread>
</RuleGroup>
<!-- Detect new service installations (persistence) -->
<RuleGroup name="Service Install" groupRelation="or">
<ServiceInstall onmatch="include"/>
</RuleGroup>
</EventFiltering>
</Sysmon>Effective log analysis requires more than just reading events. Here are best practices for security monitoring:
# Create a custom view for security-relevant events
# This XML query filters for critical security events across multiple event IDs
$xmlQuery = @'
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624 or EventID=4625 or EventID=4648 or EventID=4672 or
EventID=4688 or EventID=4697 or EventID=4720 or EventID=4728 or
EventID=4732 or EventID=4768 or EventID=4769 or EventID=4771 or
EventID=1102)]]
</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXml ([xml]$xmlQuery) -MaxEvents 50 |
Select-Object TimeCreated, Id,
@{N='Summary';E={$_.Message.Substring(0, [Math]::Min(120, $_.Message.Length))}} |
Format-Table -AutoSize -Wrap
# Export events for offline analysis
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} |
Export-Csv -Path "C:\Logs\logons_24h.csv" -NoTypeInformationVerify exercises to earn โ 150 XP and unlock next lab level.