Whatever the cyber incident or cybercrime may be, from social engineering to Advance Persistence Threats (APTs), one thing you would have noticed in common. That is unauthorized access. It is something every cyberattack either starts with or ends with. Unauthorized access is the most critical part of any cyberattack. Once the threat actor gains unauthorized access to a victim’s machine, it’s concluded as compromised. We hope anybody can understand what challenges unauthorized access brings to the victim. Rather than wasting time in getting into the implications, let’s learn a few ways to identify unauthorized access on Windows machines. We have kept this post exclusively for Microsoft Windows. We will publish how to detect unauthorized access on Linux and Mac in a different post. Let us help security professionals to learn how to detect unauthorized access on Windows platforms.
Before you jump in on how to detect unauthorized access on Windows platforms, it’s mandatory to know about the Event, Log, and Event IDs in Windows.
What is an Event, a Log, and an Event ID in Windows?
To tell more about an Event, a log, and an Event ID, an Event is a notification that something significant has occurred on a computer or network. It is usually triggered by an action taken by the user, such as starting a program, connecting to the internet, or performing some other task. When an event occurs, Windows records information about it in a Log file. The log contains details like what time the event occurred and which application was involved (if applicable). Event IDs are unique numbers assigned to each type of event that can occur on Windows systems. They enable administrators to quickly identify what kind of event has occurred and take appropriate action if necessary. Event IDs also make identifying patterns of suspicious activity easier for intrusion detection systems. By understanding Events, Logs, and Event IDs in Windows, system administrators can better monitor and maintain the health and security of their systems. They can also quickly identify, troubleshoot, or respond to any issues that arise from unexpected events or suspicious activity.
What is an Incident?
An Incident is an event or series of events that have caused a system to deviate from its expected behavior and compromise the security of the system. Incidents often involve malicious activity, such as unauthorized access, data breaches, and malware infections.
As opposed to Events where Windows records information for auditing purposes, Incidents require more immediate attention and response. Security professionals and System administrators must identify incidents quickly in order to mitigate any damage caused by the malicious actor or software. They should then take steps to gather evidence related to the incident and plan for preventative measures so that similar incidents do not occur in the future. By recognizing incidents early on, system administrators can protect their systems better and ensure that they remain secure and stable going forward.
Unauthorized access is considered an incident in the cybersecurity world as it is something abnormal event which shouldn’t happen in normal circumstances. Any such violations are captured as incidents. A few good examples of security incidents are:
- A data breach at a large company that compromised sensitive customer information.
- An intentional attack on a government website disrupted services and caused significant financial damage.
- Unauthorized access to an employee’s computer allows a hacker to gain access to internal systems and confidential documents.
- A ransomware attack that encrypted corporate data, making it inaccessible until a ransom was paid.
- An attack on critical infrastructure caused widespread disruption and required costly repairs.
- A malicious insider with access to sensitive data who leaked the information to competitors or other parties.
- Phishing attacks tricked employees into divulging confidential login details or downloading malware onto their computers.
- A malicious insider exploited a vulnerability in the system to gain access to confidential information.
- An attack on an online banking website resulted in customers losing their money and identity theft.
- A distributed denial of service (DDoS) attack overwhelmed resources, making it impossible for legitimate users to connect.
These are just some examples of serious security incidents that can have dire consequences for any organization or individual. It is, therefore, essential to put in place the necessary measures to protect your systems and data from malicious actors.
Ways to Detect Unauthorized Access on Windows Machines
There could be several tools available to detect unauthorized access on Windows. The most basic and manual approach would be reviewing the logs. You could either use Windows’s native log viewer tool called Event Viewer, or you can go for third-party log management tools like Security Information and Event Management (SIEM) solutions, User Behavior Analytics (UBA), File Integrity Monitoring (FIM), Privileged Access Management (PAM), and many more.
Whatever may be the way, one thing you should have to start with is the logon types and associated Event IDs. In the Windows operating system, all logs are captured and monitored using the event viewer. Event ID is a numeric identifier that is assigned to specific events or occurrences within the system. Each event that occurs on a Windows computer is logged in the Event Viewer, and each log entry is associated with a unique Event ID.
Event IDs are used to classify and categorize events, making it easier to locate and interpret them. They provide information about the source, nature, and severity of an event. Event IDs can range from 1 to 65,535 and are divided into different categories, including system events, application events, security events, and more.
Log On Types and Their Event IDs
The logon type is determined by the way in which the user logs on to the system. For example, if a user logs on to a system locally, the logon type will be “Interactive.” If a user logs on to a system remotely, the logon type will be “Network.”
The event ID is generated when a logon event occurs. The event ID can be used to identify the logon type, as well as other information about the logon event, such as the user name, the computer name, and the logon time.
In Windows, there are 11 different login types. The following table lists the logon types. If you want to get the matching Event IDs, please search the IDs from here. These logon types could be very helpful in detecting unauthorized access on Windows machines.
|Logon Type||Logon Title||Description|
|2||Interactive||This logon method is employed by batch servers, allowing scheduled tasks to be executed on behalf of a user without requiring manual intervention.|
|3||Network||This type of logon occurs when a user physically logon to the computer.|
|4||batch||Logon type for service accounts running services.|
|5||Service||Logon type for the user logging in using locally stored network credentials.|
|7||Unlock||Logon type when user unlocks their machine|
|8||Network Cleartext||Logon type when the user sends network credentials in cleartext|
|9||New Credentials||Logon type for ‘RunAs’ command usage, to run an application|
|10||Remote Interactive||Logon type when a used login using a remote interactive session using terminal service or RDP|
|11||Cached Interactive||Logon type for the user logging in using locally stored network credentials.|
Here you see the list of the most common Windows Event IDs:
Event Log, Source EventID EventID Description Pre-vista Post-Vista Security, Security 512 4608 Windows NT is starting up. Security, Security 513 4609 Windows is shutting down. Security, USER32 --- 1074 The process nnn has initiated the restart of computer. Security, Security 514 4610 An authentication package has been loaded by the Local Security Authority. Security, Security 515 4611 A trusted logon process has registered with the Local Security Authority. Security, Security 516 4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Security, Security 518 4614 A notification package has been loaded by the Security Account Manager. Security, Security, 519 4615 A process is using an invalid local procedure call (LPC) port. Security, Security 520 4616 The system time was changed. Security, Security 521 --- Unable to log events to security log. Security, Security(Logon/Logoff) 528 4624 Successful Logon. Security, Security(Logon/Logoff) 540 4624 Successful Network Logon. Security, Security(Logon/Logoff) 529 4625 Logon Failure - Unknown user name or bad password. Security, Security(Logon/Logoff) 530 4625 Logon Failure - Account logon time restriction violation. Security, Security(Logon/Logoff) 531 4625 Logon Failure - Account currently disabled. Security, Security(Logon/Logoff) 532 4625 Logon Failure - The specified user account has expired. Security, Security(Logon/Logoff) 533 4625 Logon Failure - User not allowed to logon at this computer. Security, Security(Logon/Logoff) 534 4625 Logon Failure - The user has not been granted the requested logon type at this machine. Security, Security(Logon/Logoff) 535 4625 Logon Failure - The specified account's password has expired. Security, Security(Logon/Logoff) 536 4625 Logon Failure - The NetLogon component is not active. Security, Security(Logon/Logoff) 537 4625 Logon failure - The logon attempt failed for other reasons. Security, Security(Logon/Logoff) 538 4634 User Logoff. Security, Security(Logon/Logoff) 539 4625 Logon Failure - Account locked out. Security, Security(Logon/Logoff) --- 4646 IKE DoS-prevention mode started. Security, Security(Logon/Logoff) 551 4647 User initiated logoff. Security, Security(Logon/Logoff) 552 4648 A logon was attempted using explicit credentials. Security, Security(Logon/Logoff) 553 4649 A replay attack was detected. Security, Security(Logon/Logoff) 601 4697 A service was installed in the system. Security, Object access --- 4688 A new process created. Security, Object access --- 4697 A new service installed. Security, Object access 602 4698 A scheduled task was created. Security, Object access 602 4699 A scheduled task was deleted. Security, Object access 602 4700 A scheduled task was enabled. Security, Object access 602 4701 A scheduled task was disabled. Security, Object access 602 4702 A scheduled task was updated. Security, Account Management 624 4720 User Account Created. Security, Account Management 626 4722 User Account Enabled. Security, Account Management 627 4723 Change Password Attempt. Security, Account Management 628 4724 User Account password set. Security, Account Management 629 4725 User Account Disabled. Security, Account Management 630 4726 User Account Deleted. Security, Account Management 636 4732 Local User Account Created. Security, Account Management 642 4738 User Account Changed. Security, Account Management 643 4739 GPO changed. Security, Account Management 644 4740 User Account Locked Out. Security, Account Management 645 4741 Computer Account Created. Security, Account Management 646 4742 Computer Account Changed. Security, Account Management 647 4743 Computer Account Deleted. Security, Account Management 671 4767 A user account was unlocked. Security, Security(Logon/Logoff) --- 4768 Kerberos TGT was requested. Security, Security(Logon/Logoff) --- 4771 Kerberos pre-authentication failed. Security, Security(Logon/Logoff) --- 4772 Kerberos TGT request failed. Security, Security(Logon/Logoff) 678 4774 An account was mapped for logon. Security, Security(Logon/Logoff) 679 4775 The name: %2 could not be mapped for logon by: %1 Security, Security(Logon/Logoff) 680 4776 Account Used for Logon by. Security, Security(Logon/Logoff) 681 4777 The logon to account: %2 by: %1 from workstation: %3 failed. Security, Security(Logon/Logoff) 682 4778 Session reconnected to winstation. Security, Security(Logon/Logoff) 683 4779 Session disconnected from winstation. Security, Security(Logon/Logoff) --- 4800 The workstation was locked. Security, Security(Logon/Logoff) --- 4801 The workstation was unlocked. Security, Security(Logon/Logoff) --- 4802 The screen saver was invoked. Security, Security(Logon/Logoff) --- 4803 The screen saver was dismissed. Security, Account Management --- 5136 GPO changed. Security, Account Management --- 5137 GPO created. Security, Account Management --- 5141 GPO deleted. System, EventLog, 6005 6005 The event log was started. System, EventLog, 6006 6006 The Event log service was stopped. System, EventLog, 6013 6013 System uptime. System, EventLog, 517 1102 The audit log was cleared. System, EventLog, --- 1104 The security Log is now full. System, EventLog, --- 1105 Event log automatic backup. System, EventLog, --- 1108 The event logging service encountered an error. System, Service Control Manager 7035 7035 The nnn service was successfully sent a start/Stop control. System, Service Control Manager 7036 7036 The nnn service entered the Running/Stopped state. System, W32Time, 29 29 The time provider NtpClient is configured to acquire time from one or more time sources; however none of the sources are currently accessible. System, W32Time, 38 38 The time provider NtpClient cannot reach or is currently receiving invalid time data. System, W32Time, 47 47 Time Provider NtpClient: No valid response received. External media detection -- 43 new device information. External media detection -- 400 new mass storage installation. Software and service installation -- 903,903 new application installation. Software and service installation -- 905,906 updated application. Software and service installation -- 907,908 removed application. Software and service installation -- 1022,1033 new MSI file installed. Software and service installation -- 6 new kernel filter driver.
A few Use Cased Help to Detect Unauthorized Access on a Windows Machine
Since we are familiar with the event ID and the logon types, let’s see a few use cases that helps identify Unauthorized Access tracking Event ID.
Pass the Hash Attack
A Pass-the-Hash (PtH) attack is a method used by attackers to gain unauthorized access to networked systems by capturing and utilizing password hashes instead of actual password characters. This technique allows them to authenticate and move laterally within the network without needing to decrypt the hash to obtain the plaintext password.
PtH attacks take advantage of the static nature of password hashes during sessions until the password is changed. Attackers often acquire hashes by extracting them from a system’s active memory and employing various other techniques.
|Event ID||4624||An account was successfully logged on|
|Logon Type||3||A user or computer logged on to this computer from the network.|
Additional things to check: Logon Process to be NtLmSsP and key length to be 0.
To mitigate the impact of a PtH attack, consider implementing the following security best practices:
- Least Privilege Security Model: Restrict and minimize admin rights to limit the attacker’s ability to escalate privileges and access sensitive resources.
- Password Management Solutions: Regularly rotate passwords, especially after a known credential compromise, to reduce the validity period of stolen hashes. Automating password rotation after each privileged session can effectively counter PtH attacks and exploits relying on password reuse.
- Separation of Privileges: Segregate different types of privileged and non-privileged accounts to minimize the usage of administrator accounts. This reduces the risk of compromise and opportunities for lateral movement within the network.
Golden Ticket attack
A Golden Ticket attack refers to a scenario where an attacker gains extensive access to an organization’s domain, including devices, files, and domain controllers, by exploiting user data stored in Active Directory.
How the attack works:
- Kerberos Authentication: Kerberos is a system used to verify a user’s identity and provide secure access to resources without requiring multiple credential requests. It uses the Kerberos Key Distribution Center (KKDC) to protect and validate user identity.
- Ticket-Granting Server (TGS): The TGS, a component of KKDC, connects users to the relevant services by granting them access tickets based on their authenticated identity.
- Authentication Server (AS): The AS performs the initial authentication of the user and issues a Kerberos Ticket Grant Ticket (TGT) upon successful authentication. The TGT serves as proof of the user’s authentication.
- Golden Ticket Attack: In a Golden Ticket attack, the attacker obtains specific information, including the fully qualified domain name, security identifier of the domain, KRBTGT password hash, and the username of the account holder. With this information, the attacker can generate forged Kerberos tickets, granting them extensive access within the domain.
- Exploiting Kerberos Database: To carry out a Golden Ticket attack, the attacker typically extracts passwords or password hashes from the Kerberos database, allowing them to impersonate authorized users and gain unauthorized access to resources.
In summary, Kerberos authentication is designed to securely verify user identities and provide access tickets. However, a Golden Ticket attack exploits weaknesses in the system to generate forged tickets, granting unauthorized access to an organization’s domain.
Other than these event IDs, we can also look for
- Any tampering observed on the NTDS.DIT file saved in the domain controller
- Suspicious login attempts: Examples include unauthorized usage of admin privileges by a user who should be on leave.
- Mimikatz: A tool employed to extract credentials from system memory and carry out DCSync attacks, posing a security risk.
Hunting for RDP Sessions
Even though the remote connection of devices is a very efficient technology, it can also be a potential threat if proper precautionary measures are not taken care of.
We can check for unauthorized RDP connections via the below logs.
- RDP Logs: Check logs for unusual activity, like failed or frequent login attempts or logins from unfamiliar IP addresses, which may indicate unauthorized RDP access attempts.
- Event Logs: Examine event logs to identify suspicious activities, such as repeated logins from the same IP address or logins at unusual times, helping you track unauthorized RDP access attempts.
- Network Traffic: Analyze network traffic, particularly RDP traffic, to detect any unusual patterns or large amounts of data transferred to/from specific IP addresses using tools like Wireshark.
- Unusual Processes: Look for abnormal processes or services on the system, as attackers may install malicious software to maintain access. Tools like Process Explorer or Task Manager can help identify these processes.
- Unusual Files: Search for unfamiliar files that may indicate malicious activity, such as files with strange names or extensions, as attackers may add new files or create new user accounts on the compromised system.
Event ID Description 4624 An account was successfully logged on 21 RDP session logon success 24 RDP session has been disconnected 4778 Session reconnected 4779 Session disconnected 10 A user logged on to this computer using Terminal service or RDP
To monitor for unauthorized RDP connections, we can also look for
- Monitor for failed login attempts: Keep an eye on the Windows Security event logs for Event ID 4625, which signifies a failed login attempt. You can filter the events to show only logon events and look for events with Logon Type 10, indicating an RDP logon. Multiple failed login attempts from the same IP address or user account may suggest a brute-force attack.
- Monitor for successful login attempts: Monitor the Windows Security event logs for Event ID 4624, indicating a successful login. Look for events with Logon Type 10, representing an RDP logon. Also, watch out for successful logon attempts from unusual IP addresses or user accounts.
- Monitor for unusual login times: Check the “Logon Time” field in Event ID 4624 to identify unusual login times for RDP sessions. Compare these times with normal business hours to identify suspicious activity.
- Monitor for logon events from unusual locations: Look for logon events in the Windows Security event logs that occur from unfamiliar IP addresses. Use the “IpAddress” field to identify logon events from unusual locations.
- Monitor for changes to RDP-related settings: Keep track of Windows System event logs for any changes to RDP-related settings. Look for Event ID 4719, indicating a change to the audit policy.
- Monitor for changes to account permissions: Watch for changes to account permissions associated with RDP logins. Look for Event ID 4732, indicating a modification in user permissions.
No. Description Event ID 4624 An account was successfully logged on Event ID 21 RDP session logon success Event ID 24 RDP session has been disconnected Event ID 4778 Session reconnected Event ID 4779 Session disconnected Logon Type 10 A user logged on to this computer using Terminal service or RDP
A Few Common Ways Attackers Use to Gain Unauthorized Access
As we said earlier, unauthorized access is a common goal for many cyber attacks. Here are the common techniques that attackers use to gain unauthorized access:
- Password attacks: Attackers may use brute force or dictionary attacks to guess or crack passwords, allowing them to gain unauthorized access to a system.
- Malware attacks: Attackers may use malware, such as keyloggers or remote access trojans, to gain unauthorized access to a system. Once access is gained, the attacker may be able to steal sensitive data or use the system to launch further attacks.
- Social engineering attacks: Attackers may use social engineering tactics, such as phishing or pretexting, to trick users into revealing login credentials or other sensitive information.
- Zero-day or known vulnerability exploitation: Attackers may exploit vulnerabilities to gain unauthorized access to a system.
- Insider attacks: Insider attacks occur when an authorized user abuses their access privileges to gain unauthorized access to a system or steal sensitive data.
- Privilege escalation attacks: Attackers may use privilege escalation techniques to gain elevated permissions on a system, allowing them to access sensitive data or perform malicious actions.
General Guidelines to be Protected from Unauthorized Access Attacks
Upon looking at some of the attack use cases and common ways to attackers use to gain unauthorized access, it’s time to look at some guidelines to help protect against unauthorized access attacks:
- Use strong passwords: Use strong, complex passwords that are difficult to guess. Consider using a password manager to generate and store passwords securely.
- Implement access controls: Implement access controls, such as user permissions and role-based access controls, to ensure that users have the appropriate level of access.
- Use multi-factor authentication: Use multi-factor authentication (MFA) to add an extra layer of security to user logins.
- Regularly update software and systems: Regularly update software and systems to ensure that known vulnerabilities are patched, and security updates are applied.
- Use introduction detection systems: Use IPS solutions to detect introduction in the network and Windows.
- Monitor user activity: Monitor user activity, such as logon/logoff events and file access, to detect suspicious activity using SIEM, UBA, and Event Viewer.
- Educate users on security best practices: Educate users on security best practices, such as how to identify phishing emails and how to create strong passwords.
- Conduct regular security assessments: Conduct regular security assessments to identify vulnerabilities and potential security risks, allowing organizations to take proactive steps to prevent unauthorized access.