Authentication Event Logs

Authentication Event Logs Analysis

Analyzing Windows authentication event logs is crucial for detecting unauthorized access attempts, brute force attacks, and lateral movement, particularly through Remote Desktop Protocol (RDP). Below is a comprehensive guide to understanding and leveraging authentication-related event logs in security investigations.

Authentication Event Types

1. Successful Local/Domain User Logins

Event ID 4624 (Audit Success)

  • Description: Indicates a successful login.

  • Key Logon Types (filter out noise from service logins):

    • Type 2: Interactive (physical login).

    • Type 10: RemoteInteractive (RDP login).

Analysis:

  • Monitor for logon types that align with physical or remote interactive logins.

  • Investigate unusual login times or frequent logins from different locations.

2. Failed Login Attempts

Event ID 4625 (Audit Failure)

  • Description: Tracks failed login attempts.

  • Use Case: Detect brute force attacks or unauthorized login attempts.

Analysis:

  • Look for repeated failed attempts within a short timeframe.

  • Investigate failed logins targeting administrative or privileged accounts.

3-RDP Authentication Events

Successful RDP Logins

  • Event ID 4624 (Logon Type 10):

    • Found in Security Logs.

    • Indicates successful RDP login.

  • Event ID 1149:

    • Found in TerminalServices-RemoteConnectionManager/Operational.

    • Provides details such as source IP and account domain.

4-Failed RDP Logins

  • Event ID 261:

    • Found in TerminalServices-RemoteConnectionManager.

    • Indicates a TCP connection to the RDP port (3389).

  • Event ID 4625:

    • Found in Security Logs.

    • Tracks failed RDP authentication attempts.

Analysis:

  • Correlate Event IDs 261 and 4625 to analyze failed RDP login attempts.

  • Investigate frequent attempts from the same source IP as signs of brute force attacks.

5-Analyzing Lateral Movement in RDP

Source Computer Logs

  • Event ID 1102 (TerminalServices-RDPClient/Operational):

    • Logs the destination IP address of remote RDP connections.

  • Event ID 4648 (Security Logs):

    • Tracks target account and server details for the RDP session.

Destination Computer Logs

  • Event ID 1149:

    • Confirms a successful connection from the source computer.

Analysis:

  • Compare timestamps of RDP connection logs across source and destination machines.

  • Look for unusual lateral movement patterns, such as a privileged account being used unexpectedly on multiple machines.

6-Brute Force Detection Strategy

Detection Steps:

  1. Monitor Failed Logins (Event ID 4625):

    • Look for multiple failed login attempts within a short timeframe.

  2. Successful Login (Event ID 4624):

    • Investigate successful logins occurring shortly after repeated failures.

  3. Investigate Further:

    • Review user activity to confirm whether unauthorized access occurred.

    • Cross-reference with RDP logs to determine the attacker’s source.

Recommendations

  1. Account Lockout Policies:

    • Implement policies to lock accounts after a certain number of failed login attempts, reducing the risk of brute force attacks.

  2. Correlation Across Systems:

    • Use centralized logging or SIEM tools to correlate authentication events across multiple systems for detecting lateral movement.

  3. Efficient Filtering:

    • Focus on specific Event IDs and logon types to reduce noise and enhance analysis.

Key Points

Authentication event logs provide critical insights into user activity, helping to detect unauthorized access, brute force attacks, and lateral movement. By focusing on key Event IDs like 4624, 4625, 1149, and 261, and correlating data across systems, forensic analysts can uncover malicious activities and strengthen organizational security.

PreviousEvent Log AnalysisNextWindows Scheduled Tasks Event Logs

Last updated