From the Field: Logs Evaluation

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments

💥 𝟰𝟮.𝟵% of infrastructures I’ve assessed 𝗱𝗼𝗻’𝘁 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗲 𝗹𝗼𝗴𝘀 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲𝗶𝗿 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲

We’ve talked about Windows logging — but that’s only part of the picture. You also need to 𝗰𝗲𝗻𝘁𝗿𝗮𝗹𝗶𝘇𝗲, 𝗮𝗻𝗮𝗹𝘆𝘇𝗲, 𝗮𝗻𝗱 𝗱𝗲𝘁𝗲𝗰𝘁.

🛠️ Even basic detections can give you a 𝗵𝘂𝗴𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗯𝗼𝗼𝘀𝘁 — no expensive SIEM needed. I’ve seen massive SIEMs collect data and do nothing useful.

𝗦𝘁𝗮𝗿𝘁 𝘄𝗶𝘁𝗵 these low-effort, high-impact detection wins:

🔹 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗙𝗮𝗶𝗹𝘂𝗿𝗲𝘀

Watch for common brute-force and password spray indicators:

• 4776 – Attempted credential validation

• 4771 – Kerberos pre-authentication failure

• 4625 – Failed logon

• 4740 – Account locked out

💡 On your Domain Controller, 𝘁𝗿𝘆 𝘁𝗵𝗶𝘀 𝗾𝘂𝗶𝗰𝗸 𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 to find bad password attempts and potential lockouts:

$PDC=Get-ADForest |Select-Object -ExpandProperty RootDomain |Get-ADDomain |Select-Object -ExpandProperty PDCEmulator

$BadPasswordCount=Get-ADUser -LDAPFilter ‘(&(objectCategory=user)(badpwdcount>=3))’ -Server $PDC -Properties Name, UserPrincipalName, BadPWDCount, AccountLockoutTime, LockedOut | Select-Object Name, UserPrincipalName, BadPWDCount, AccountLockoutTime, LockedOut | Sort-Object -Descending -Property BadPWDCount

Were you alerted about these attempts? 𝗜𝗳 𝗻𝗼𝘁 — 𝘁𝗵𝗲𝗿𝗲’𝘀 𝘄𝗼𝗿𝗸 𝘁𝗼 𝗱𝗼.

🔹 𝗢𝘁𝗵𝗲𝗿 𝗞𝗲𝘆 𝗘𝘃𝗲𝗻𝘁𝘀 𝘁𝗼 𝗠𝗼𝗻𝗶𝘁𝗼𝗿

• 1102 – Security audit log cleared

• 104 – System/Application log cleared

• 4765 / 4766 – SID History modification attempts

• 4780 – ACL set on admin group members

• 4794 – DSRM password changed

• 7045 – New service installed

🎯 Use 𝗦𝗔𝗖𝗟𝘀 to track sensitive AD object changes or critical system modifications.

👀 Real visibility 𝗱𝗼𝗲𝘀𝗻’𝘁 𝗿𝗲𝗾𝘂𝗶𝗿𝗲 𝗮 𝟳-𝗳𝗶𝗴𝘂𝗿𝗲 security budget. These detections are low-cost and high-value.

Let’s create a more comprehensive list. These were just examples.

👉 𝗪𝗵𝗶𝗰𝗵 𝗲𝘃𝗲𝗻𝘁 𝗜𝗗𝘀 𝗱𝗼 𝘆𝗼𝘂 𝗿𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱 𝘄𝗮𝘁𝗰𝗵𝗶𝗻𝗴 𝗼𝘂𝘁 𝗳𝗼𝗿?