In this article, we will dive into the world of Windows forensics and explore how to leverage the power of the Windows Events log to detect and investigate unauthorized access to Windows computers and servers.
This article will shed light on the events that hold critical clues for uncovering unauthorized access. Additionally, I will guide you through the essential steps required to carry out a comprehensive investigation.
I will also provide handy PowerShell scripts to expedite your forensic tasks further and save valuable time.
Pre-requisites
Windows, by default, records events related to session logon, with event IDs:
- 4624: An account was successfully logged on.
- 4625: An account failed to log on.
The session login could be interactive logon, Network logon, remote interactive logon etc…
The “Logon Type” property contains the logon type code.
The following table describes the different codes and their description:
| Logon Type | Logon Title | Description |
0 | System | Used only by the System account, for example at system startup. |
2 | Interactive | A user logged on to this computer. |
3 | Network | A user or computer logged on to this computer from the network. |
4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 | Service | A service was started by the Service Control Manager. |
7 | Unlock | This workstation was unlocked. |
8 | NetworkCleartext | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
12 | CachedRemoteInteractive | Same as RemoteInteractive. This is used for internal auditing. |
13 | CachedUnlock | Workstation logon. |
However, Windows will not tell you which file or folder the user accessed by default unless you enable the “Audit object access” policy.
Enable Audi Object Access Policy
1/ On a standalone Workstation:
- Click the start menu, then type the following command to open the local group policy editor: gpedit.msc
- On the group policy editor, navigate to “Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy” then double-click on the “Audit object access” policy.
- Check both Success and Failure options.
Now Windows will record every access to objects, whether successful or unsuccessful.
2/ On Domain machines:
You can use the group policy Management tool on a domain network to enable the access audit on all or part of the domain-joined machines.
You can choose to apply the policy on sensitive Servers and Workstations.
- Open the Group Policy Management tool.
- Right-click on your domain, then select “Create a GPO in this domain, and link it here…”
- Give a name to your policy and click OK.
- Edit the newly created policy.
- Navigate to “Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy” then double-click on the “Audit object access” policy.
Check the following boxes:
Now you are ready for the forensics job.
Investigate local access.
Windows, by default, remember the last opened session. So, if someone else opens a session on your computer with another username, you will see the previous logged-on username when you start your computer.
In some organizations, the last user to log on to the client computers feature is disabled for security reasons. This will prevent an attacker from collecting account names and trying to guess their password.
In that case, you need to use the event viewer to determine who has logged on to your computer.
- Open the Event Viewer
- Select the Security log, then filter on the event ID 4624 (An account was successfully logged on)
- The filter will display all the events related to successful login on the computer, whether interactive, remote, batch, or service logon.
- To narrow down our research to only the local session login, we need to focus on the “Logon type” code 2 (Interactive), 7 (Unlock), 11 (cached interactive), and 13 (CachedUnlock).
- The Security ID and Account Name display the username of who logged on.
Investigate Remote Access
To check if someone has remotely accessed a computer, we will rely on the same event ID 4624, but focus on the “Logon Type” code 3 (Network), 10 (Remote Interactive), 12 (Cached Remote Interactive).
The interesting fields in a forensic investigation are the account name, the Workstation name, and the source IP address.
Using Powershell Script to Speed up The Forensic Investigation Process:
Doing a manual search on the Windows Event logs to find specific information while conducting a forensics investigation could be overwhelming, especially when dealing with a large number of events.
Here is when a Powershell script comes in handy—the following PowerShell script list all the events with the ID 4624.
Having the information listed in a table format with all the necessary data for an investigation will help spot the event you are searching for quickly. On top of that, you can export the list into an Excel sheet where you can apply different filters (Ex: on the event date) to find the information you are interested in quickly.
Write-Host "List of the logged in sessions:"
Write-Host
$events = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -ErrorAction SilentlyContinue |
Where-Object {$_.Properties[8].Value -eq 2 -or $_.Properties[8].Value -eq 11 -or $_.Properties[8].Value -eq 3} |
Select-Object -Unique @{Name='WorkstationName';Expression={$_.Properties[11].Value}},
@{Name='SourceAddress';Expression={$_.Properties[18].Value}},
@{Name='AccountDomain';Expression={$_.Properties[6].Value}},
@{Name='AccountName';Expression={$_.Properties[5].Value}},
@{Name='LogonType';Expression={
if ($_.Properties[8].Value -eq "2") { "Interactive"}
elseif ($_.Properties[8].Value -eq "3") { "Network"}
elseif ($_.Properties[8].Value -eq "7") { "workstation was unlocked"}
elseif ($_.Properties[8].Value -eq "10") { "Remote Interactive"}
elseif ($_.Properties[8].Value -eq "11") { "Cached Interactive"}
elseif ($_.Properties[8].Value -eq "12") { "Cached Remote Interactive"}
else { "" }
}},
TimeCreated
$remoteLogins = $events | Sort-Object WorkstationName
$remoteLogins | Format-Table -AutoSize
Example of a result of script execution:
List of the logged in sessions:
WorkstationName SourceAddress AccountDomain AccountName LogonType TimeCreated
--------------- ------------- ------------- ----------- --------- -----------
- - Window Manager DWM-1 Interactive 6/16/2023 7:45:05 PM
- - Font Driver Host UMFD-0 Interactive 6/16/2023 7:45:04 PM
- - Font Driver Host UMFD-1 Interactive 6/16/2023 7:45:04 PM
- - Window Manager DWM-1 Interactive 6/16/2023 7:42:08 PM
- - Window Manager DWM-1 Interactive 6/16/2023 7:42:08 PM
- - Font Driver Host UMFD-0 Interactive 6/16/2023 7:42:07 PM
- - Font Driver Host UMFD-1 Interactive 6/16/2023 7:42:07 PM
- - Window Manager DWM-1 Interactive 6/16/2023 7:45:05 PM
- - Window Manager DWM-2 Interactive 6/14/2023 4:02:04 PM
- ::1 CORP.ZINETEK.COM WRKNY-22001$ Network 6/15/2023 7:01:32 PM
- - Window Manager DWM-5 Interactive 6/15/2023 7:27:10 PM
- - Font Driver Host UMFD-5 Interactive 6/15/2023 7:27:10 PM
- ::1 CORP.ZINETEK.COM WRKNY-22001$ Network 6/15/2023 7:01:31 PM
- - Font Driver Host UMFD-3 Interactive 6/24/2023 11:37:59 AM
- - Window Manager DWM-2 Interactive 6/24/2023 11:37:52 AM
- - Font Driver Host UMFD-2 Interactive 6/24/2023 11:37:52 AM
- - Font Driver Host UMFD-4 Interactive 6/15/2023 7:26:51 PM
- ::1 CORP.ZINETEK.COM WRKNY-22001$ Network 6/14/2023 4:04:31 PM
- ::1 CORP.ZINETEK.COM WRKNY-22001$ Network 6/14/2023 4:06:06 PM
- - Font Driver Host UMFD-3 Interactive 6/14/2023 4:06:46 PM
- - Window Manager DWM-3 Interactive 6/14/2023 4:06:46 PM
- - Window Manager DWM-3 Interactive 6/14/2023 4:06:46 PM
- ::1 CORP.ZINETEK.COM WRKNY-22001$ Network 6/14/2023 4:06:04 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:41:33 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:42:14 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:41:03 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:38:31 PM
ENDUSER-PC 192.168.217.55 ZINETEK peter.parker Network 6/15/2023 7:26:49 PM
ENDUSER-PC 192.168.217.54 ZINETEK peter.parker Network 6/24/2023 11:37:51 AM
ENDUSER-PC 192.168.217.54 ZINETEK peter.parker Network 6/24/2023 11:37:49 AM
ENDUSER-PC 192.168.217.54 ZINETEK peter.parker Network 6/24/2023 11:31:17 AM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:02:21 PM
ENDUSER-PC 192.168.217.55 ZINETEK peter.parker Network 6/14/2023 12:05:07 PM
ENDUSER-PC 192.168.217.55 ZINETEK ENDUSER-PC$ Network 6/14/2023 12:13:30 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:02:06 PM
ENDUSER-PC 192.168.217.55 ZINETEK ENDUSER-PC$ Network 6/14/2023 12:13:44 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:19:47 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:19:47 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:19:59 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:28:14 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:38:43 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:39:24 PM
ENDUSER-PC 192.168.217.55 ZINETEK david.banner Network 6/14/2023 12:40:17 PM
ENDUSER-PC 192.168.217.55 ZINETEK ENDUSER-PC$ Network 6/14/2023 12:13:59 PM
ENDUSER-PC 192.168.217.55 ZINETEK peter.parker Network 6/15/2023 7:26:48 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/14/2023 4:01:24 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/24/2023 11:49:06 AM
WRKNY-22001 127.0.0.1 ZINETEK peter.parker Interactive 6/14/2023 4:04:15 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/24/2023 11:29:50 AM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/24/2023 11:21:39 AM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/24/2023 11:12:05 AM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 9:09:33 PM
WRKNY-22001 ::1 ZINETEK Administrator Cached Interactive 6/16/2023 8:46:47 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 8:46:22 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 8:25:54 PM
WRKNY-22001 ::1 ZINETEK Administrator Cached Interactive 6/16/2023 8:04:54 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 8:03:42 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 7:47:50 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 12:33:37 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/16/2023 12:15:22 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/15/2023 7:50:28 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/15/2023 7:27:44 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/15/2023 6:55:58 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/14/2023 4:31:23 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/14/2023 4:07:31 PM
WRKNY-22001 127.0.0.1 ZINETEK peter.parker Interactive 6/14/2023 4:04:15 PM
WRKNY-22001 127.0.0.1 ZINETEK tony.stark Cached Interactive 6/14/2023 11:48:45 AMInvestigate Access To Documents
When a hacker does unauthorized access to a computer or a server, it’s to get hold of data. So you need to know which data the hacker has made access to.
The event ID 5145 is your best friend when doing that job.
- Open the event viewer.
- Then apply a filter on the event ID 5145.
From the event details, you can read the following:
The account “peter.parker”, had access to a “File”, from the source IP address “192.168.217.54”.
Under the “Share Information” section, you have the path to the file (C:\Tony Stark\Secret Document.txt).
Scrolling all the 5145 events and checking them individually is a lot of effort. Here is where a PowerShell script comes in handy.
Automate The Document Access Investigation With PowerShell
The following PowerShell script will parse all the events with 5145 ID and will list all the interesting ones (Read, Write, Delete) in a list.
Write-Host "List of documents and files handled: "
Write-Host
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} -ErrorAction SilentlyContinue |
Where-Object { $_.Properties[10].Value -eq "0x2" -or $_.Properties[10].Value -eq "0x80" -or $_.Properties[10].Value -eq "0x110080" -or $_.Properties[10].Value -eq "0x10080" -or $_.Properties[10].Value -eq "0x120089"} |
Select-Object @{Name='AccountName';Expression={$_.Properties[1].Value}},
@{Name='DomainName';Expression={$_.Properties[2].Value}},
@{Name='ObjectType';Expression={$_.Properties[4].Value}},
@{Name='SharePath';Expression={$_.Properties[8].Value}},
@{Name='RelativeTargetName';Expression={$_.Properties[9].Value}},
@{Name='AccessMask';Expression={"{0:X}" -f [int]$_.Properties[10].Value}},
@{Name='AccessType';Expression={
if ($_.Properties[10].Value -eq "0x2") { "WRITE" }
elseif (($_.Properties[10].Value -eq "0x120089") -or ($_.Properties[10].Value -eq "0x80")) { "READ" }
elseif (($_.Properties[10].Value -eq "0x110080") -or ($_.Properties[10].Value -eq "0x10080") ) { "DELETE" }
else { "" }
}},
@{Name='SourceAddress';Expression={$_.Properties[5].Value}},
TimeCreated
$events | Format-Table -AutoSize
Here is an example of the execution result of this script:
List of documents and files handled:
AccountName DomainName ObjectType SharePath RelativeTargetName AccessMask AccessType SourceAddress TimeCreated
----------- ---------- ---------- --------- ------------------ ---------- ---------- ------------- -----------
peter.parker ZINETEK File \??\C:\ TONY STARK\IRON MAN 110080 DELETE 192.168.217.54 6/25/2023 4:50:21 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\Iron man\Iron man plans.txt 10080 DELETE 192.168.217.54 6/25/2023 4:50:21 PM
peter.parker ZINETEK File \??\C:\ TONY STARK\IRON MAN 110080 DELETE 192.168.217.54 6/25/2023 4:50:21 PM
peter.parker ZINETEK File \??\C:\ \ 120089 READ 192.168.217.54 6/25/2023 4:50:21 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\Iron man\desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:50:19 PM
peter.parker ZINETEK File \??\C:\ Users\tony.stark\Documents 80 READ 192.168.217.54 6/25/2023 4:50:16 PM
peter.parker ZINETEK File \??\C:\ TONY STARK\SPIDER MAN.TXT 2 WRITE 192.168.217.54 6/25/2023 4:50:14 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\Spider man.txt 120089 READ 192.168.217.54 6/25/2023 4:50:08 PM
peter.parker ZINETEK File \??\C:\ Tony Stark 80 READ 192.168.217.54 6/25/2023 4:50:08 PM
peter.parker ZINETEK File \??\C:\ Users\tony.stark\Documents\desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:50:07 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\New Text Document.txt 110080 DELETE 192.168.217.54 6/25/2023 4:50:07 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\New Text Document.txt 2 WRITE 192.168.217.54 6/25/2023 4:50:02 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\New Text Document.txt 80 READ 192.168.217.54 6/25/2023 4:50:02 PM
peter.parker ZINETEK File \??\C:\ Tony Stark 80 READ 192.168.217.54 6/25/2023 4:49:58 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\Secret Document.txt 80 READ 192.168.217.54 6/25/2023 4:49:54 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\Secret Document.txt 120089 READ 192.168.217.54 6/25/2023 4:49:54 PM
peter.parker ZINETEK File \??\C:\ Tony Stark\Secret Document.txt 80 READ 192.168.217.54 6/25/2023 4:49:54 PM
peter.parker ZINETEK File \??\C:\ Program Files\Internet Explorer\images\desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:49:51 PM
peter.parker ZINETEK File \??\C:\ Users\tony.stark\Documents 80 READ 192.168.217.54 6/25/2023 4:49:48 PM
peter.parker ZINETEK File \??\C:\ Users\desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:49:48 PM
peter.parker ZINETEK File \??\C:\ Program Files (x86)\desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:49:48 PM
peter.parker ZINETEK File \??\C:\ Program Files\desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:49:48 PM
peter.parker ZINETEK File \??\C:\ desktop.ini 120089 READ 192.168.217.54 6/25/2023 4:49:48 PM What does that data mean from a forensic perspective?
- The account “peter.parker” has read the file “C :\Tony Stark\Secret Document.txt”
- The same account then created a new text file under the path “C:\Tony Stark\”, then renamed this new document to “Spider man.txt”
- He wrote something in the “Spider man.txt” file.
- He deleted the folder “C:\Tony Stark\Iron man” and all its content (In the example, there was only one file under this folder “Iron man plans.txt”).
Conclusion
This article overviews Windows forensics and focuses on using the Windows Events log to detect and investigate unauthorized access to Windows computers and servers.
It emphasizes the importance of enabling the “Audit object access” policy to record every access to objects on a Windows system.
Overall, the article highlights the significance of Windows forensics in uncovering unauthorized access and emphasizes the value of leveraging the Windows Events log and PowerShell scripts to streamline the investigation process.
By following the recommended procedures and utilizing the tools provided, you can effectively enhance your ability to identify and respond to security incidents on Windows systems.