According to Statcounter, 75.18% of servers across the globe use a Windows operating system.
Since the majority of organizations run on Windows, it makes them a popular target for attackers with access to a wide variety of Windows hacking tools. For this reason, ensuring network security largely depends on securing your Windows environment. The first step towards protecting Windows systems is correctly configuring security settings. Security admins should also audit and periodically track Windows event logs to detect malicious activity to prevent potential breaches.
However, it’s not an easy task. With numerous users logging on to Windows systems, monitoring event logs to spot malicious activity can become tough. By monitoring the wrong event IDs or not implementing an incident response system, you risk leaving dangerous vulnerabilities for hackers to exploit. Therefore, the key to securing your Windows network is auditing for critical security events and setting up alerts for detecting behavior anomalies.
Some critical Windows event IDs to monitor are:
-
-
Event ID 4625: Failed logon.
-
Event ID 1102: Audit log clearance.
-
Event ID 4657: Registry value modification.
-
Event ID 4673: A privileged service was called.
-
Event ID 4688: Creation of a new process.
-
Event ID 4771: Failed Kerberos pre-authentication.
-
Event ID 5156: Permitted an inbound or outbound connection to a server.
-
Event ID 4663: Attempt to access objects in the network.
-
So if you’re just wondering, “What should I monitor?” there are thousands of blogs on Google to tell you the exact event IDs that should be in your auditing checklist right now. But to get a deeper level of understanding about Windows security monitoring, check out our extensive Windows Auditing 101 online guide and learn the complete list of events you need to monitor and audit. In the guide, we explain:
-
-
What you need to know about Windows and Sysmon auditing, from the basics to what information you need to obtain from logs.
-
Which critical Windows and Sysmon event IDs you need to monitor.
-
How you can correlate these event IDs with other activities in your network to gain a holistic view of your security posture.
-
Use cases explained in the guide:
1. Basic Windows auditing use cases
-
-
Monitoring events to uncover attackers within the network
-
Monitoring unusual login activity
-
Discovering malicious registry changes
-
Detecting a possible brute-force attack
-
Auditing File and folder activities
-
Monitoring inbound and outbound connections
-
2. Advanced Windows auditing use cases
-
-
Detecting privileged account abuse
-
Detecting Kerberoasting and spraying attacks
-
Monitoring external devices used in your network
-
Tracking potential malware activity
-
Detecting a single account trying to log in to multiple hosts
-
3. Critical Sysmon logging use cases
-
-
Detecting malware from phishing attacks
-
Detecting Mimikatz activity in your network
-
Tracking registry modifications
-
Identifying DNS traffic
-
Detecting lateral movement
-
Detecting process tampering
-
The auditing guide was a great resource to learn about Windows security. Thanks!
Really insightful!