LetsDefend Academy

Online practicing and training platform for blue team members









Analysis Successful Logon Events

Quick Start to Event Logs

Each event log has its own ID value. Filtering, analyzing and searching the log title is more difficult, so it is easy to use the ID value.

You can find the details of which Event ID value means what from the URL address below.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Investigation of Login Records

Considering the general situation, a login activity appears in all successful or unsuccessful cyberattacks. An attacker often wants to log into the server to take over the system. For this purpose, it can perform brute force attack or directly login with the password in hand. In both cases (successful login / unsuccessful login attempt) the log will be created.

Let's consider an attacker logged into the server after a brute force attack. To better analyze what the attacker did after entering the system, we need to find the login date. For this, we need "Event ID 4624 - An account was successfully logged on".

Log file for lesson:

Log_File.zip Pass=321

To reach the result, we open the "Event Viewer" and select "Security" logs.

Then we create a filter for the “4624” Event ID.

And now we see that the number of logs has decreased significantly and we are only listing logs for successful login activities. Looking at the log details, we see that the user of "LetsDefendTest" first logged in at 23/02/2021 10:17 PM.

Even when we look at the "Logon Type" field, we see the value 10. This indicates that you are logged in with "Remote Desktop Services" or "Remote Desktop Protocol".

You can find the meaning of the logon type values on Microsoft's page.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

In the next section, we will detect the Brute force attack the attacker made before logging in.