Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Contact

HF Rulez the UniverseHF Rulez the Universe
The Church Of Stanley
logging logs monitoring windows event viewer

Foundations of Endpoint Security (Windows) - Logging and Monitoring

Posted Nov 18, 2023 10:55 AM
Foundations of Endpoint Security - Logging and Monitoring

In our previous article (Foundations of Endpoint Security - Core Windows Processes) we discussed and explored the fundamentals of windows and the baseline processes that allow the operating system to run. We also discussed abnormal behavior for these processes, and a few tools that can be used to check for this behavior. However, this limits us to observing real-time events. In this next portion, we'll discuss how important endpoint logging is, how it enables us to audit significant events, collecting and aggregating these logs, and better automation for the detection of anomalous behavior that could indicate malicious activity.

Windows Event Logs
Event logs are one of the most crucial pieces for troubleshooting any incident involving a device. They allow us to understand what happened, and how we can provide a solution. To understand this, you first must understand the format in which the information is presented by Windows. First and foremost, you must understand what the elements that make up event logs in Windows systems are:
  • System Logs: These record events associated with the operating system. This may include information on hardware changes, system changes, device drivers, and other related activities.
  • Security Logs: These are records of events in relation to logon and logoff activities, specifically defined in
  • Application Logs: These logs record events related to applications installed on a system. The primarily components include application errors, events, and warnings.
  • Directory Service Events: Active Directory changes and activities are recorded in these logs. Primarily in relation to domain controllers.
  • File Replication Service Events: Events relating to Windows servers during the sharing of group policies, and logon scripts for domain controllers. Along with where they may be accessed by users via client servers.
  • DNS Event Logs DNS servers log domain events.
  • Custom Logs: Events can be customized to be logged by applications requiring custom data storage. Allowing applications to control the log size or attach other parameters like ACLs for security.

Windows Event Viewer
One of the nice things that comes baked into any modern Windows installation is Event viewer. This is a Microsoft Management Console snap-in that can be launched by simply right clicking the Windows icon in the task bar and selecting "Event Viewer." For the CLI inclined users, Event Viewer can be launched by typing eventvwr.msc into the run dialog. Acting as a GUI-based application that allows you to interact quickly with and analyze logs, Event Viewer has three main components:
  1. The lefthand pane provides a hierarchical tree listing of various log providers.
  2. The center pane, which displays a general summary and overview of the events specific to a selected provider on the left.
  3. The pane on the righthand side is your actions pane.
[Image: Screenshot-2023-10-25-093633.png]

Windows Sysmon (SysInternals)
In a previous blog (Here) we covered SysnInternals and a few of the many tools included in this suite. One that we didn't cover however was Sysmon.

From the Microsoft Docs, "System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network."

What Sysmon does is it gathers high-quality and detailed logs as well as performs event tracing that assists in identifying anomalies in your enviornment. It is most commonly used alongside a security information and even management (SIEM) system or other solutions for parsing logs. When installed, Sysmon will start early in the Windows boot process. Ideally, the events are all then forwarded to a SIEM to be filtered and analyzed.

Sysmon requires a configuration file in order to instruct the binary how to analyze incoming events. You can both create your own, or download pre-created configurations. Sysmon can handle 30 (29 plus and error event ID) different types of events, all of which can be specified in the configuration as to how events are handled and analyzed. You can review the documentation from Microsoft Here.

Logging and monitoring on endpoints is a crucial step in security. It allows you to monitor any activity, and makes it easy to spot anomalous and even potentially malicious behavior on your systems both in retrospect and real time. This gives you the power to know when something isn't right, from there the next step is to act.