How to optimize Windows event logging to better investigate attacks

The default event logging in Windows 10 won't give you enough information to properly conduct intrusion forensics. These settings and tools will help you collect the needed log data.

A user reviews data and statistical models. [analytics / analysis / tracking / monitoring / logging]
Laurence Dutton / Getty Images

After a compromise, the first thing investigators will do is review the log files. The default logging on Windows machines, however, does not capture enough information to identify forensic artifacts. You can adjust your logging settings to get enough information to investigate attacks.

First, download and install Sysmon on outward-facing machines. Sysmon remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

You can tweak Sysmon as noted in the Sysmon cheat sheet to optimize its use, specifically around monitoring events that are a sign of malicious activity. GitHub offers additional resources on Sysmon.

bradley log tweak5 MalwareArchaeology

Sysmon configuration guidance

Adjust the logging settings from the defaults to ensure you capture all the information you need to investigate system intrusions. MalwareArchaeology has several scripts and recommendations for additional logging settings, including:

Increase the log size

I do not recommend installing a physical server, a virtual server, a physical machine or a virtual machine without 200 gigs of hard drive space. Over time the WinSXS folder will grow. If you deploy systems and refresh them, meaning that you do a total rebuild and redeploy the operating system and all workstation applications during a workstation refresh, then you may be able to deploy with a smaller hard drive. If you have systems that will keep the same image and receive the semi-annual feature releases, over time the default hard drive space will grow. When deploying workstations or laptops, I always have SSD drives for speed. You should set larger log space properly regardless of your CPU.

This is what MalwareArcheaology recommends for specific logs:

  • Application, system logs: at least 256K
  • PowerShell logs: at least 256K
  • Security Log: 512,000K (1,024,000)

Evaluate the ability and need of offloading log files to an external device or security information and event management (SIEM) system. The more information you offload, the better you can go back and investigate. Attackers often install their payload and not launch it immediately, so if you want to fully investigate an intrusion, you need to look at prior events.

Log DNS and DHCP events

To track what your domain controllers are doing, it’s recommended to log both DNS and DHCP events, specifically:

  • Log packets for debugging
  • Outgoing and incoming
  • UDP and TCP
  • Packet type request and response
  • Queries/transfers and updates

Server 2016 and later already has DNS logging code included. Server 2012R2 will need a hotfix to perform similarly. To enable this manually:

  • Enter “eventvwr.msc” at an elevated command prompt to open “Event Viewer”.
  • In “Event Viewer”, navigate to “Applications and Services Logs\Microsoft\Windows\DNS-Server”.
  • Right-click on “DNS-Server”.
  • Point to “View”.
  • Click “Show Analytic and Debug Logs”. The Analytical log will be displayed.
  • Right-click on “Analytical” and then click “Properties”.
  • Under “When maximum event log size is reached”, determine your settings.
  • Click “OK” again to enable the DNS Server Analytic event log.

For logging of DHCP, the goal is to determine if rogue systems have been added to your network. Enable the logging and look for Event 10 – a new IP address was leased. You can enable DHCP logging either in the graphical interface or via a PowerShell command Set-DhcpServerAuditLog.

Set audit policies

Review the set audit policies in your organization. Much of the needed auditing is not set by default even on Windows 10. You can use the tool Log-MD to review the current setting to see if they will allow you to review for malicious activity.

For example, on the default Surface laptop that I’m using, this tool reported deficiencies in logging settings. The resulting report indicated that my security log wasn’t large enough and both the PowerShell and application logs weren’t as large as recommended. It also recommended that I disable PowerShell v2 as downgrade attacks would be possible.

bradley log tweak1 Susan Bradley

Auditing recommendations

Log MD also recommended enabling this additional auditing:

bradley log tweak2 Susan Bradley

Success/failure auditing settings

Each item listed as “S” needs to be set to “Success”. Any setting listed as “F” needs to be set to “Audit failures”. If the item is “S/F”, you need to audit for “Success and Failure”. Not applicable means that the item is not applicable for this machine.

bradley log tweak3 Susan Bradley

Logon/logoff and object access settings

bradley log tweak4 Susan Bradley

Privilege use and system settings

The (5) designation means that the CIS Benchmarks, United States Government Configuration Baseline (USGCB), and the Australian Cyber Security Centre (ACSC) do not cover the audited items.

“Other Object Access Events” is an auditing setting that will be noisy and chatty. In certain circumstances on edge systems or highly sensitive machines, you will want to enable this extra chattiness. As documented in Windows Advanced logging cheat sheet, you want to enable Object Access/ Other Object Access Events Success and Failure, which adds 4698 and 4702 events for new and updated scheduled tasks. It contains the complete XML of the task (which identifies the user that created the task, complete command line, and schedule details).

Another key item to audit is the use of external or USB flash drives. To enable this auditing, turn on “Object Access for Removable Storage Success and Failure”. This will enable and flag in logging the use and removal of media devices on your computer.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations