Arc 3: Security Incident

"Keeping Watch" — Event Logs, Monitoring & Security Controls

Priya has assigned you to daily log review on the domain controller. What you find in the Security logs will change everything — 14 failed logon attempts against a ghost account at 3 AM.

Windows Event Logs: Your Eyes Inside the OS

Every meaningful action on a Windows system — a user logging in, a service crashing, a firewall rule blocking a connection, an account being created — gets recorded in Event Logs. They are the operating system's black box recorder, and they are the single most important data source for security monitoring and incident response.

Event logs are stored as .evtx files in C:\Windows\System32\winevt\Logs\. Each log file is a structured binary format that records events with timestamps, source identifiers, severity levels, and detailed message data. Unlike plain text log files, .evtx files support efficient querying and can be analyzed programmatically.

Key Log File Locations:

C:\Windows\System32\winevt\Logs\Security.evtx — Authentication, authorization, audit events
C:\Windows\System32\winevt\Logs\System.evtx — Kernel, drivers, services
C:\Windows\System32\winevt\Logs\Application.evtx — Application-level events
C:\Windows\System32\winevt\Logs\Setup.evtx — Windows Update, feature installs

Log Categories: The Five Main Channels

Windows organizes events into five primary log channels. Each serves a distinct purpose, and knowing which log to check is the first skill of effective monitoring.

Log Channel	What It Records	Who Uses It
Application	Events from applications and programs. Software crashes, database errors, application warnings. Sources include SQL Server, IIS, .NET runtime, and any application that registers an event source.	Application developers, sysadmins troubleshooting app issues
System	Events from Windows system components — kernel, drivers, services (start/stop/fail), hardware errors, time synchronization, disk health, network adapter changes.	Sysadmins diagnosing system stability, hardware, and service issues
Security	Audit events controlled by the audit policy: logon/logoff (success and failure), object access, privilege use, account management, policy changes. This is the most important log for security.	Security analysts, incident responders, compliance auditors
Setup	Events related to Windows installation, updates, feature additions, role installations. Tracks what was installed and when.	Sysadmins tracking patching and system configuration changes
Forwarded Events	Events collected from remote computers via Windows Event Forwarding (WEF). Acts as a central collection point so you can monitor many machines from one location.	Security teams with centralized monitoring (SIEM integration)

Security Note: Only the Security log requires special permissions to read. Standard users can read Application and System logs, but reading the Security log requires the SeSecurityPrivilege — typically held by Administrators and the LOCAL SYSTEM account. This prevents regular users from seeing who is logging in and what audit trails exist.

Event Severity Levels

Each event in the Application and System logs has a severity level that indicates its importance. The Security log uses a different classification — Audit Success and Audit Failure — since security events are about whether an action was permitted or denied, not whether something errored.

Level	Icon	Meaning	Example
Information	ℹ	Normal operation recorded. Something happened as expected. No action needed.	A service started successfully. A Windows Update installed.
Warning	⚠	Not an error yet, but a condition that could lead to problems if not addressed.	Disk space is running low. A driver took longer than expected to initialize.
Error	❌	A significant problem occurred. Something failed, and functionality may be affected.	A service failed to start. A driver crashed. An application faulted.
Critical	🚨	A severe failure requiring immediate attention. System stability may be compromised.	Unexpected shutdown. Kernel power failure. Hardware malfunction.
Audit Success	🔒	(Security log only) An audited security event completed successfully.	User successfully logged on (4624). File accessed with proper permissions.
Audit Failure	🚫	(Security log only) An audited security event failed — access was denied or authentication failed.	Failed logon attempt (4625). Unauthorized file access denied.

Critical Security Event IDs

The Windows Security log can contain thousands of event types, but a handful of Event IDs are responsible for the vast majority of security-relevant information. Every security professional needs to know these by heart.

Event ID	Category	Description	Why It Matters
4624	Logon	Successful logon. Includes the Logon Type field, which tells you how the user authenticated.	Logon Types: Type 2 = Interactive (keyboard at console) Type 3 = Network (SMB share access, net use) Type 7 = Unlock (workstation unlock) Type 10 = RemoteInteractive (RDP session) RDP logons (Type 10) from unexpected sources are suspicious.
4625	Logon	Failed logon attempt. Includes failure reason, source IP, and target account name.	Your early warning system for brute-force attacks. Multiple 4625 events in rapid succession from the same source IP = automated password guessing.
4634	Logoff	An account was logged off. Paired with 4624 to determine session duration.	Helps establish how long an attacker (or user) was active on a system.
4647	Logoff	User-initiated logoff (as opposed to session timeout or disconnection).	Distinguishes deliberate logoff from forced disconnection, useful for forensic timelines.
4672	Special Logon	Special privileges assigned to a new logon. This fires when an admin account logs in.	Every admin logon generates this. If you see 4672 for an account that should NOT be an admin, you have a privilege escalation problem.
4720	Account Management	A user account was created.	Unexpected account creation (especially at odd hours or by unexpected users) could indicate an attacker creating a backdoor account.
4722	Account Management	A user account was enabled.	Disabled accounts being re-enabled without authorization is a red flag — especially former employee accounts.
4725	Account Management	A user account was disabled.	Normal during employee offboarding. Suspicious if admin accounts are being disabled (potential sabotage).
4732	Group Management	A member was added to a security-enabled local group.	If someone adds an account to the Administrators or IT-Admins group without authorization, this is how you detect it.
4740	Account Management	A user account was locked out.	Account lockouts can indicate brute-force attacks that exceeded the lockout threshold. Also caused by users with expired cached credentials.
4698	Object Access	A scheduled task was created.	Attackers use scheduled tasks for persistence. A task created at 3 AM by a former employee's account is extremely suspicious.
5140	File Share	A network share object was accessed.	Tracks who is accessing which shares from where. Critical for detecting lateral movement — e.g., an account accessing Finance$ from an unexpected workstation.
5156	Filtering Platform	The Windows Filtering Platform allowed a network connection.	Shows allowed network connections at the OS level. Useful for detecting unexpected outbound connections (like a reverse shell calling home).
1102	Log Management	The audit log was cleared.	Clearing the Security log is an anti-forensic technique. If someone clears the Security log, Event ID 1102 is the last event recorded before the wipe. Attackers often clear logs to cover their tracks, but this event itself survives.

Event ID 4625 is your early warning system for brute-force attacks. A single failed logon is normal — people mistype passwords. But 14 failed logons against the same account in 47 seconds, all from the same IP, at 3:14 AM? That is an automated attack tool systematically guessing passwords. If someone had been watching the Security log in real time, the Meridian breach could have been stopped before it began.

Event Viewer: The GUI Tool

Event Viewer (eventvwr.msc) is the built-in GUI for browsing, filtering, and exporting event logs. It is the first tool most administrators reach for when investigating an issue.

Key capabilities of Event Viewer:

Browse logs — Navigate the tree: Windows Logs (Application, Security, System, Setup, Forwarded Events) and Applications and Services Logs (more granular per-component logs)
Filter current log — Right-click a log and select "Filter Current Log" to narrow by Event ID, time range, severity, source, or keyword. For example, filter Security log to Event ID 4625 to see only failed logons.
Custom views — Save frequently used filters as custom views. Create a "Failed Logons" view that automatically shows only Event ID 4625 events across all domain controllers.
Event details — Click any event to see the full XML-structured data, including the source IP address, account name, logon type, failure reason, and process information.
Export — Save logs as .evtx (native format) or .csv/.xml for analysis in other tools.
Attach tasks to events — Configure a task to run when a specific event occurs. For example, send an email alert whenever Event ID 1102 (log cleared) fires.

Pro Tip: Event Viewer is excellent for browsing, but for high-volume analysis (like searching millions of events across time ranges), Get-WinEvent in PowerShell is far more powerful and scriptable. Use Event Viewer for exploration, PowerShell for investigation.

Get-WinEvent: PowerShell's Log Query Engine

Get-WinEvent is the PowerShell cmdlet for querying event logs. It replaces the older Get-EventLog cmdlet and supports all modern log types including ETW (Event Tracing for Windows) providers.

The most important parameter is -FilterHashtable, which lets you build efficient queries that filter at the source rather than pulling all events and then filtering in the pipeline:

FilterHashtable Syntax:

# Basic: Get failed logons from Security log
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625}

# Multiple Event IDs
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4672}

# Time range
Get-WinEvent -FilterHashtable @{
  LogName='Security'
  Id=4625
  StartTime=(Get-Date).AddDays(-7)
  EndTime=(Get-Date)
}

# Limit results
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 20

# Query a remote computer
Get-WinEvent -ComputerName MD-DC01 -FilterHashtable @{LogName='Security'; Id=4625}

There is also wevtutil, a command-line tool for querying and managing event logs. It is faster than Get-WinEvent for large queries and supports XPath query syntax:

wevtutil Examples:

# Query last 5 Security events in text format
wevtutil qe Security /c:5 /f:text

# Export a log to file
wevtutil epl Security C:\Exports\security-backup.evtx

# List available logs
wevtutil el

Windows Firewall: Network Perimeter Defense

Windows Defender Firewall with Advanced Security is the host-based firewall built into every Windows installation. It inspects network traffic at the operating system level and decides whether to allow or block each connection based on a set of rules.

The firewall operates with three profiles, each representing a network type. When Windows detects what type of network it is connected to, it activates the corresponding profile:

Profile	When Active	Default Behavior
Domain	The computer is connected to a network where it can authenticate to a domain controller. This is the corporate network.	Most permissive — allows remote management, file sharing, Group Policy, etc. because the network is trusted (domain-joined).
Private	The user has manually marked the network as "private" (e.g., home network). Network discovery is enabled.	Moderate — allows some sharing but blocks most inbound connections from unknown sources.
Public	Any unrecognized or untrusted network (coffee shop WiFi, airport, hotel). The default for new connections.	Most restrictive — blocks nearly all unsolicited inbound connections. Network discovery and file sharing are disabled.

Rule evaluation follows a strict order:

Explicit Block rules are checked first. If a block rule matches, the packet is dropped immediately.
Explicit Allow rules are checked next. If an allow rule matches, the packet is permitted.
If no rule matches, the default action applies. For inbound traffic, the default is Block. For outbound traffic, the default is Allow.

The SQL Port Problem: At Meridian Dynamics, someone created an inbound firewall rule on MD-WEB01 that allows TCP port 1433 (SQL Server) from the entire CORP-WIFI VLAN (10.10.40.0/24). SQL Server should only be accessible from the SERVER VLAN (10.10.10.0/24). This misconfiguration means any device on the WiFi network — including the rogue laptop discovered in Chapter 9 — can connect directly to the database.

Firewall logging can be enabled per profile to record all allowed and dropped connections. Logs are written to C:\Windows\System32\LogFiles\Firewall\pfirewall.log. This is invaluable for detecting unauthorized connection attempts.

Windows Defender: Endpoint Protection

Windows Defender Antivirus (now called Microsoft Defender Antivirus) is the built-in endpoint protection platform. It provides real-time protection against malware, ransomware, and other threats.

Key components:

Real-time protection — Scans files as they are opened, downloaded, or executed. Intercepts threats before they can run.
Cloud-delivered protection — Sends suspicious file metadata to Microsoft's cloud for analysis against the latest threat intelligence.
Behavior monitoring — Watches running processes for suspicious behavior patterns (like encrypting files rapidly, which indicates ransomware).
Tamper protection — Prevents attackers or malware from disabling Defender via registry changes or command-line tools.

Scan types:

Scan Type	What It Does	When to Use
Quick Scan	Scans common malware locations: startup folders, user profiles, temp directories, registry run keys.	Daily scheduled scan. Catches most active threats quickly.
Full Scan	Scans every file on every drive. Thorough but slow (can take hours).	Weekly or after a suspected compromise. Checks everywhere.
Custom Scan	Scans specific files or folders you choose.	When you have a suspicious file and want to check it specifically.
Offline Scan	Reboots into a special environment to scan before the OS fully loads. Can detect rootkits that hide from normal scans.	When you suspect a rootkit or persistent malware that evades normal scans.

Exclusions Are a Security Risk! Defender exclusions tell the antivirus to ignore specific files, folders, or processes. Developers and database admins often add exclusions for performance reasons (e.g., excluding SQL Server data directories from real-time scanning). But attackers know this — if they discover which paths are excluded, they can place malware there knowing it will never be scanned. At Meridian, the attacker placed the fake svchost.exe in C:\Users\Public\Downloads\ — fortunately not an excluded path, but it could have been.

BitLocker and EFS: Encryption at Rest

Encryption protects data when a device is lost, stolen, or physically accessed by an unauthorized person. Windows provides two encryption technologies that operate at different levels:

Feature	BitLocker	EFS (Encrypting File System)
Scope	Full disk encryption — encrypts the entire volume including OS files, swap file, hibernation file, temp files.	File-level encryption — encrypts individual files and folders. Only the selected items are protected.
Transparent to user?	Yes — once unlocked at boot (PIN, TPM, or USB key), the drive is seamlessly decrypted in real time.	Yes — encrypted files open normally for the user whose certificate was used. Other users see the file but cannot open it.
Protects against	Physical theft of the hard drive. An attacker who removes the drive and connects it to another machine cannot read the data.	Unauthorized access to specific sensitive files by other users on the same system (or if the drive is accessed from another OS).
Key storage	TPM (Trusted Platform Module) chip, or external USB key, or password/PIN. Recovery key stored in Active Directory or saved to file.	User's certificate in the Windows certificate store. Recovery agent certificate for enterprise recovery.
Editions	Windows Pro, Enterprise, Education. Not available on Home edition.	Windows Pro, Enterprise, Education. Not available on Home edition.

Key Insight: BitLocker and EFS solve different problems. BitLocker protects the whole disk from physical theft. EFS protects individual files from other users on the same machine. In an enterprise, BitLocker is typically enforced via Group Policy on all laptops, while EFS is used selectively for highly sensitive files.

AppLocker: Application Whitelisting

AppLocker controls which applications users are allowed to run. Instead of trying to block known malware (blacklisting), AppLocker flips the model: only explicitly approved applications can execute (whitelisting). This is far more effective because attackers constantly create new malware, but the list of legitimate applications changes slowly.

AppLocker supports three types of rules:

Rule Type	How It Works	Pros	Cons
Publisher	Allows applications signed by a specific publisher (e.g., "Microsoft Corporation"). Can specify product name and version range.	Most flexible. Automatically allows updates from the same publisher. Recommended for most scenarios.	Requires applications to be digitally signed. Unsigned software cannot be controlled this way.
Path	Allows applications from specific file paths or directories (e.g., allow everything in C:\Program Files\ but block executables in C:\Users\).	Simple to set up. Works for unsigned applications.	Weak security — if an attacker can write a file to an allowed path, the rule is bypassed. Rename or copy attacks defeat path rules.
File Hash	Allows applications based on their exact cryptographic hash. Only the specific binary with that hash can run.	Most restrictive and precise. Cannot be bypassed by renaming or moving files.	Every update changes the hash, requiring a new rule. High maintenance burden.

AppLocker applies to executables (.exe, .com), scripts (.ps1, .bat, .cmd, .vbs, .js), Windows Installer files (.msi, .msp), DLLs (.dll, .ocx), and packaged apps (.appx). It is configured through Group Policy and available on Enterprise and Education editions of Windows.

If Meridian Dynamics had AppLocker: The fake svchost.exe in C:\Users\Public\Downloads\ would have been blocked from executing because it was unsigned, located outside approved paths, and had no matching hash rule. AppLocker is one of the most effective defenses against the type of attack Meridian experienced.

Event Log Architecture: From Action to Analysis

Click any layer to explore how a user action becomes a permanent event log entry. Every security event follows this pipeline from trigger to stored record.

Firewall Rule Evaluation Flowchart

When a network packet arrives at a Windows host, the firewall evaluates it through this decision tree. Notice that Block rules are checked before Allow rules, and unmatched packets fall through to the default action.

Inbound Packet Arrives

Source IP, Dest Port, Protocol

↓

Match Explicit BLOCK Rule?

Yes ↓

DROPPED

Packet silently discarded
Optional: log drop event

No ↓

Match Explicit ALLOW Rule?

Yes ↓

ALLOWED

Delivered to app

No ↓

Default Action?

DROPPED

Inbound default

ALLOWED

Outbound default

X-Ray Mode: Failed Logon Detection — The 14 Attempts

Walk through exactly what happens inside Windows when someone tries to brute-force a password. Watch the authentication pipeline process each failed attempt, generate Security log events, and ultimately reveal the attack pattern hidden in the 3 AM logs.

Press Play to begin X-Ray walkthrough...

Security Lab: Daily Log Review on MD-DC01

Scenario: Priya has assigned you to daily Security log review on the domain controller MD-DC01. She expects a report of anything unusual. "Read the Security log every morning," she says. "If something looks wrong, escalate to me immediately." This is your first real security task — and what you find will blow the investigation wide open.

Run Get-WinEvent -LogName Security -MaxEvents 10 to see the most recent security events on MD-DC01. Get a feel for what normal activity looks like.

Hint: Most events will be routine logons, logoffs, and privilege assignments.

Run Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625} -MaxEvents 20 to look specifically for failed logon attempts. This is where the trouble starts.

Hint: Look at the timestamps. How many failures happened against t.manning? From which IP?

Run Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} -MaxEvents 10 to check successful logons. Verify that the normal accounts (admin, intern01, Priya) are logging in as expected.

Hint: Compare the successful logons with the failures. No successful logon for t.manning means the attacker hasn't broken in... yet.

Run Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740} to check for account lockout events. Was anyone locked out recently?

Hint: Dana Chen was locked out earlier (from Chapter 6). The attacker's 14 attempts did NOT trigger lockout — investigate why.

Run netsh advfirewall firewall show rule name=all dir=in on MD-WEB01 to audit the inbound firewall rules. Look for anything suspicious.

Hint: Why is SQL port 1433 open to the CORP-WIFI VLAN?

Run netsh advfirewall show allprofiles to check the firewall status for all profiles. Verify that the firewall is enabled on all three profiles (Domain, Private, Public).