Throughout my career as an Incident Responder, one of the most invaluable skillsets I have had to draw on has been analysis of Windows event logs. These event logs are an invaluable source of information to forensic practitioners, as they are crucial in determining the cause of events during computer security incidents. Windows event logs hold a great amount of varying data for how the system is functioning, the occurrences for both legitimate users and their activities, and what happens when attackers enter the arena. With respect to log analysis, I maintain that the event logs are valuable not only for helping you find ‘badness’, but also for teaching you important fundamentals about Windows system internals.

To practice your detection and analysis skills to find such badness, it’s helpful to have a set of event log samples that represent actual attack data and explore different ways to apply your knowledge and analysis techniques. The scope of this article will involve attack samples for the Windows platform. These are event log files that reflect different types of attacks stored within the event data. Each of them can be browsed through by mostly anyone, and the end results are that you walk away knowing a bit more about attacks that you might not have encountered before, and now you have log data to explore and learn from.

To retrieve the log files, I will be using in this demonstration, you can find them on GitHub under the following link: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES. After downloading them, browse around within the folder groupings to see what they offer. The event log samples are grouped by different MITRE ATT&CK attacker techniques and tactics such as ‘defense evasion’, ‘credential access’, ‘lateral movement’, and others.

Below, I have identified some records that trigger a ‘Malicious Named Pipe’ rule. You should see that these are rated as a critical severity, so we will focus in on them throughout this article. A snippet of some that looked appealing to me is shown immediately below using a Python tool that applies Sigma rules for identifying and classifying suspicious events.

We can dive in a bit more using the native Windows Event Viewer. It may be beneficial to explore using other tools; however, for the purposes of this blog entry, we will primarily be using the Event Viewer. Additionally, the event log source we will focus on will be System Monitor (Sysmon) logs, which are not native to Windows; they are an add-on but also highly desired to IR, as they provide a higher level of event monitoring.

After navigating to the prospective log file, we can open up the events that are filtered specifically for the attack concerning the maliciously named pipes. The highlighted entry shows the named pipe that was present in the Sysmon Event ID 18 record that takes place at 8:59:14PM UTC on April 29, 2019.

The stock Event Viewer application does a good job breaking out the event details for Sysmon Event ID 18, where the named pipe and other attributes for the event are described when you open the details of the event record.

Below, we can see Sysmon Event ID 1 also contains useful information about the malicious named pipe, including CurrentDirectory and the User. These details can be used to pivot on within other Windows artifacts.

The use of something called ‘pipeshell’ was observed within the CurrentDirectory parameter, which may suggest MS PowerShell command convention. These facts can help provide additional avenues of analysis that you may think about performing, but here we will stick to the log data.

As we evaluate the later events, we find other suspicious activity. Showcased in the next screenshot, we see whoami being invoked within the Sysmon Event ID 1 record. This sets off red flags to me, and it should warrant further investigation.

As it turns out, these events are only a small part of those from the sbousseaden GitHub sample. Specifically, this sample log data is within the folder ‘Lateral Movement/’ in a file named ‘lm_sysmon_18_remshell_over_namedpipe.evtx’. In this article, I had the log file renamed so I would not prematurely give away what occurred within. Furthermore, through renaming the exhibit we discussed here, we can replicate a more real-world situation of not knowing exactly what sinister activity could be found in log files before we get to analyze them. Logs that get sent to me for analysis usually do not feature filenames based on an attack methodology or tactic, but more general filenames reflecting the function, such as Application and Windows PowerShell, among others.

Today, we only scratched the surface of looking through sample attack activity within Windows event logs, and there is much more that you can explore on your own to learn and build your knowledge on. I hope you found this discussion useful and that it encouraged you to consider additional ways that you can practice looking for malicious lateral movement events, intrusions, and other things that go bump on the servers during the night.