TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: Microsoft Windows and Active Directory (AD)
SUMMARY: Starter Queries for Windows Security
Huntress SIEM and Microsoft Windows logs are case sensitive. The LIKE operator ignores case, so when searching for fields where the case may vary it’s recommended to use LIKE instead of ==. Typically those fields include user.name, host.hostname, and source.host.name
Query List
- Adding/Removing Accounts from Groups
- Group Management Events
- Account Management Events
- Password Resets
- Getting Started with User Authentication Events
Adding/Removing Accounts from Groups
Description
This search returns all instances of accounts being added or removed from Windows groups. These groups could be local groups or Domain groups. The search can be further filtered by specifying the name of a group or groups of interest. Examples of this are documented in the Additional Filter Options section.
Search Query
from logs |
where event.provider=="Microsoft-Windows-Security-Auditing" |
where event.code in (4728, 4732, 4746, 4751, 4756, 4761, 4729, 4733, 4747, 4752, 4757, 4762) |
keep host.hostname, event.code, winlog.event_data.MemberName, winlog.event_data.MemberSid, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserNameAdditional Filter Options
Limit to Local Privileged Groups
This query adds a filter to focus on two local groups (Administrators and Remote Desktop Users). These two default groups grant extra privilege to their members with Administrators granting full admin rights and Remote Desktop Users granting the ability to logon over RDP. Both of these groups are used by threat actors to gain persistence.
from logs |
where event.provider=="Microsoft-Windows-Security-Auditing" |
where event.code in (4728, 4732, 4746, 4751, 4756, 4761, 4729, 4733, 4747, 4752, 4757, 4762) |
where winlog.event_data.TargetUserName=="Administrators" OR winlog.event_data.TargetUserName=="Remote Desktop Users" |
keep host.hostname, event.code, winlog.event_data.MemberName, winlog.event_data.MemberSid, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserNameLimit to Domain Privileged Groups
This query adds a filter to focus on three domain groups (Enterprise Admins, Domain Admins, Account Operators). These three default groups grant extra privilege to their members with Enterprise Admins granting full admin rights to all domains in a forest, Domain Admins granting full admin rights to the local domain, and Account Operators granting rights allowing for management of domain accounts.
from logs |
where event.provider=="Microsoft-Windows-Security-Auditing" |
where event.code in (4728, 4732, 4746, 4751, 4756, 4761, 4729, 4733, 4747, 4752, 4757, 4762) |
where winlog.event_data.TargetUserName=="Domain Admins" OR winlog.event_data.TargetUserName=="Account Operators" OR winlog.event_data.TargetUserName=="Enterprise Admins" | keep host.hostname, event.code, winlog.event_data.MemberName, winlog.event_data.MemberSid, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserNameEvent Code Breakdown
|
Event Code |
Description |
|---|---|
|
4728 |
A member was added to a security-enabled global group |
|
4729 |
A member was removed from a security-enabled global group |
|
4732 |
A member was added to a security-enabled local group |
|
4733 |
A member was removed from a security-enabled local group |
|
4746 |
A member was added to a security-disabled local group |
|
4747 |
A member was removed from a security-disabled local group |
|
4751 |
A member was added to a security-disabled global group |
|
4752 |
A member was removed from a security-disabled global group |
|
4756 |
A member was added to a security-enabled universal group |
|
4757 |
A member was removed from a security-enabled universal group |
|
4761 |
A member was added to a security-disabled universal group |
|
4762 |
A member was removed from a security-disabled universal group |
Kept Field Descriptions
|
Field |
Description |
|---|---|
|
MemberName |
Contains the Distinguished Name (DN) of the account added or removed from the designated group. For local accounts, this has a value of “-”. |
|
MemberSid |
Contains the Security Identifier (SID) of the account added or removed from the designated group. |
|
TargetDomainName |
The Domain of the group. |
|
TargetUserName |
The Name of the group |
|
SubjectDomainName |
The Domain of the account performing the action. |
|
SubjectUserName |
The Name of the account performing the action. |
Group Management Events
Description
This search returns data describing the creation or deletion of Windows groups. This includes both local and Domain groups.
Search Query
from logs |
where event.provider=="Microsoft-Windows-Security-Auditing" |
where event.code in (4727, 4731, 4744, 4749, 4754, 4759, 4730, 4734, 4748, 4753, 4758, 4763) |
keep host.hostname, event.code, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserNameEvent Code Breakdown
|
Event Code |
Description |
|---|---|
|
4731 |
A security-enabled local group was created |
|
4734 |
A security-enabled local group was deleted |
|
4744 |
A security-disabled local group was created |
|
4748 |
A security-disabled local group was deleted |
|
4749 |
A security-disabled global group was created |
|
4753 |
A security-disabled global group was deleted |
|
4754 |
A security-enabled universal group was created |
|
4758 |
A security-enabled universal group was deleted |
|
4759 |
A security-disabled universal group was created |
|
4763 |
A security-disabled universal group was deleted |
Kept Field Breakdown
|
Field |
Description |
|---|---|
|
host.hostname |
The Name of the host where the group was created or deleted. This will be a Domain Controller if the group was a Domain group. |
|
TargetDomainName |
The Domain of the group that was created or deleted. |
|
TargetUserName |
The Name of the group that was created or deleted. |
|
SubjectDomainName |
The Domain of the account that created or deleted the group. |
|
SubjectUserName |
The Name of the account that created or deleted the group. |
Account Management Events
Description
This query returns results indicating the creation, modification, or deletion of an account. Modification is limited to disabling or enabling the account.
Search Query
from logs |
where event.provider=="Microsoft-Windows-Security-Auditing" |
where event.code in (4720, 4722, 4725, 4726, 4741, 4743) |
keep host.hostname, event.code, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName, winlog.event_data.SubjectLogonId, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName, winlog.event_data.DisplayName
Event Code Breakdown
|
Event Code |
Description |
|---|---|
|
4720 |
A user account was created |
|
4722 |
A user account was enabled |
|
4725 |
A user account was disabled |
|
4726 |
A user account was deleted |
|
4741 |
A computer account was created |
|
4743 |
A computer account was deleted |
Kept Field Breakdown
|
Field |
Description |
|---|---|
|
host.hostname |
The name of the host the account was created on. |
|
SubjectDomainName |
The Domain of the account that performed the creation, modification, or deletion. |
|
SubjectUserName |
The Name of the account that performed the creation, modification, or deletion. |
|
SubjectLogonId |
The session the action was performed in. |
|
TargetDomainName |
The Domain of the account created, modified, or deleted. |
|
TargetUserName |
The Name of the account created, modified, or deleted. |
|
DisplayName |
The “friendly” name of the account created, modified, or deleted. |
Password Resets
Description
This query returns instances where one account resets the password of another. This is uniquely different from a normal password change event which is when an account changes its own password.
Search Query
from logs |
where event.provider=="Microsoft-Windows-Security-Auditing" |
where event.code=="4724" |
keep host.hostname, winlog.event_data.SubjectDomainName, winlog.event_data.SubjectUserName, winlog.event_data.SubjectLogonId, winlog.event_data.TargetDomainName, winlog.event_data.TargetUserName
Event Code Breakdown
| Event Code | Description |
| 4724 | An account's password was reset by an administrator |
| 4723 | A user reset their own password |
Kept Field Breakdown
|
Field |
Description |
|---|---|
|
host.hostname |
The name of the system where the affected account resides. This will be a Domain Controller if the account is a Domain account. |
|
SubjectDomainName |
The Domain of the account performing the password reset. |
|
SubjectUserName |
The Name of the account performing the password reset. |
|
SubjectLogonId |
The session that the action took place in. |
|
TargetDomainName |
The Domain of the account affected by the password reset. |
|
TargetUserName |
The Name of the account affected by the password reset. |
User Authentication Events
There are a number of intricacies with tracking authentication activity due to the wide range of sources, so here's some useful info about event codes and logon types before you get started.
| Event Code | Description |
| 4624 | Successful logon |
| 4648 | User logged in using different credentials than they're currently logged in as |
| 4647 | User initiated logoff |
| 4634 | System initiated logoff |
| 4779 | User disconnected from terminal session before logging out |
| 4625 | Failed logon |
| Logon Type | Title | Description |
| 0 | System | Used exclusively by the SYSTEM account, typically generated during initial system startup. |
| 2 | Interactive | The user is physically present at the keyboard and screen, or using software that mimics physical presence. |
| 3 | Network | A user or computer connected over the network (e.g., accessing shared folders, IIS websites, or mapped network drives). |
| 4 | Batch | Executed on behalf of a user without direct human intervention, such as via the Windows Task Scheduler. |
| 5 | Service | Triggered by a background Windows Service configured to log on and run under a specific user account. |
| 7 | Unlock | Generated when a user enters credentials to unlock a previously locked workstation workstation workstation. |
| 8 | NetworkCleartext | A network login where the user's password was sent to the authentication package in an unhashed (plaintext) format. Often associated with basic authentication on IIS. |
| 9 | NewCredentials | Created when a user spawns a process using different credentials for outbound network connections (e.g., using the runas /netonly command). |
| 10 | RemoteInteractive | A remote console session. Most commonly triggered via Remote Desktop Protocol (RDP), Remote Assistance, or Terminal Services. 3rd party RDP tools may or may not log the same as Microsoft's RDP client. |
| 11 | CachedInteractive | The user logged on locally using credentials cached in memory because a Domain Controller could not be reached to verify them. |
| 12 | CachedRemoteInteractive | Same as Type 10 (Remote Desktop), but the system used cached credentials locally because it could not reach a Domain Controller. |
| 13 | CachedUnlock | The user unlocked the screen using locally cached credentials while disconnected from the network domain. |
Starter Queries for User Logon Activity
Note: Windows does not log these events by default. The Huntress agent will automatically set this policy to the correct level, provided you don’t have a competing system setting policy (see https://support.huntress.io/hc/en-us/articles/51811065416851-Finding-the-Source-of-Windows-Logging-Audit-Policy-Configuration)
Description
These queries return all instances of user accounts that have logged on in the time frame specified.
from logs |
where event.capability==”winlog” |
where event.code in (4624, 4648)
Additional Filter Options
Filter Logons by Organization
For this you’ll want to search in the org scope by clicking SIEM (icon on the far left) > SIEM Dashboard > at the top left where it says “Account” or “Organization” click to select the org you want to view (should say “Account: __” if in account scope or “Organization:__” if you’re in the org scope). The KEEP operator ensures the user name and endpoint name are displayed.
from logs |
where event.capability==”winlog” |
where event.code in (4624, 4648) |
keep user.name, host.hostnameFilter Logons by User
This query shows all logons by a user you specify, simply replace $username with the logon name of the user you’re looking for (leave the * in as wildcards). Additionally, this query displays the name of the endpoint the user logged into, and the type of logon performed.
from logs |
where event.capability==”winlog” |
where event.code in (4624, 4648) |
where user.name LIKE “*$username*” |
keep host.hostname, logon.typeCount all Unique Users
Useful for seeing all users who have logged in and a total number of logons, typically done in the agent scope such as a DC.
from logs |
where event.capability==”winlog” |
where event.code in (4624, 4648) |
stats count() by user.nameShow all Endpoints a User Logged on
Similar to the two queries above, this variation shows all endpoints that a specific user has logged into and the type of logon performed. This is best done in the org or account scope to ensure you capture all endpoint activity. Just replace $username with the user’s logon name (leave the * in as wildcards).
from logs |
where event.capability==”winlog” |
where event.code in (4624, 4648) |
where user.name LIKE “*$username*” |
stats count() by host.hostnameView Remote Endpoint Name (remote logon)
This query shows all remote logons and displays the name of the user who logged in, the name of the remote endpoint, and the IP address of the remote endpoint.
from logs |
where event.capability==”winlog” |
where event.code in (4624, 4648) |
where logon.type in (3, 10) |
keep user.name, source.host.name, source.ip
Starter Queries for User Logoff Activity
Description
These queries return all logged(*) instances of user accounts that have logged off in the time frame specified. The search can be further filtered to specific endpoint names, user names, or logon types (see logon types for more info).
(*)Note that there are several cases in which Windows will not display logoff events including:
- Logon types 3, 4, and 5 do not generate logoff events
- Logon type 2 and 10: if the user closes the RDP window, puts their endpoint to sleep, locks their endpoint, hasn’t signed out yet, or force restarts the endpoint before signing out.
- If fast startup is enabled and the user shuts their endpoint down.
- If the endpoint has a “logoff after idle time” policy or a screensaver that locks the endpoint, a logoff event code won’t be generated.
- If the endpoint shuts down abruptly, encounters a blue screen, or is shut down using the power button (while the user is logged in).
- If event logs Audit Policy is not set up to store logoff events. Note the Huntress agent will automatically set this policy to the correct level, provided you don’t have a competing system setting policy (see https://support.huntress.io/hc/en-us/articles/51811065416851-Finding-the-Source-of-Windows-Logging-Audit-Policy-Configuration)
Search Query
from logs |
where event.capability==”winlog” |
where event.code in (4647, 4634, 4779) |
keep target.user.name
Note that logoff events use target.user.name for the user name field, while logon events use user.name So for example if you wanted to see all logon/logoff events with user names you’d need to keep both user name fields like this: from logs | where event.capability==”winlog” | where event.code in (4647, 4634, 47779, 4625, 4624, 4648) | keep target.user.name, user.name
|
Starter Queries for Failed Logons
Description
When looking for intrusion events you may want to look at all failed logons. This query will show all(*) failed logons, the user names, the endpoint names, and the type of logon.
(*)Note that there are several cases in which Windows will not display failed logon events including:
- If a user tries to logon via RDP to a server with Network Level Authentication (NLA) enabled, the remote machine requires valid credentials before the RDP session can start. Thus 4625 won’t be logged at the endpoint where logon was attempted.
- If the logon service is hit with a highly malformed string or invalid protocol request, LSASS may fail to process the request as an authentication attempt.
- If event logs Audit Policy is not set up to store failed logon events. Note the Huntress agent will automatically set this policy to the correct level, provided you don’t have a competing system setting policy (see https://support.huntress.io/hc/en-us/articles/51811065416851-Finding-the-Source-of-Windows-Logging-Audit-Policy-Configuration)
Search Query
from logs |
where event.capability==”winlog” |
where event.code==4625 |
keep user.name, host.hostname, logon.typeAdditional Filter Options
For all of these additional queries you may want to search in the org or account scope first, and then drill into specific machines. To search in the org or account scope click SIEM (far left) > SIEM Dashboard > now at the top left where it currently says “Account” or “Organization” select the org or account you want to view.
Endpoints with Failed Logons
This query shows a list of machines with failed logons.
from logs |
where event.capability==”winlog” |
where event.code==4625 |
stats count() by host.hostnameUsers with Failed Logons
This query shows a list of users with failed logons.
from logs |
where event.capability==”winlog” |
where event.code==4625 |
stats count() by user.nameIP of Failed Remote Logons
This query shows all the IP addresses associated with failed logons. Query views all IP addresses, user names, the endpoint the user attempted to logon to (host.hostname), and name of the endpoint the user attempted to logon from (source.host.name).
from logs |
where event.capability==”winlog” |
where event.code==4625 |
where logon.type in (3, 10) |
keep source.ip, user.name, host.hostname, source.host.name