# Windows Logs ## Windows :exclamation: ***Threat Detection with Windows Event Logs*** ### **Demo 1: Successful Brute Force attempts** **`Tactic`**`: Credential Access` **`Technique`**`: Brute Force` ![Searching for Successful Brute Force Attempts](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MRxMyC2hiuD5DXmP0fc%2F-MRxNelQiItuVGxTvPOg%2Fimage.png?alt=media\&token=d6817a11-21bb-4083-99e7-98784433a6cb) ### Finding New Local Admin Accounts > Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level. In this video we show you how to use Splunk to find these accounts so that you can take action if needed. ![](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MS_woCX9iyNZydUNAV4%2F-MSaTUrHBUE8mepdnLuH%2FCreate%20User%20-%20Admin.png?alt=media\&token=b05d9553-e80b-438c-bd35-df0b8eff2baa) ### Recurring Malware on Host > Using **A**nti-Virus logs to detect if malware is recurring on a host after being removed. ![](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MS_woCX9iyNZydUNAV4%2F-MSaW8Z7sKHcAQ0-auqu%2FRecurring%20Malware.png?alt=media\&token=9daa8207-dcb3-4166-8b81-b8a00b678a38) ### Network and Port Scan > Using Splunk with firewall logs to detect hosts that are running network and port scans. ![Network and Port Scan](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MS25v40ed2KWktjnHcL%2F-MS2xvBiRE-f4dJuT4pN%2FIP%20and%20Port%20Scan.png?alt=media\&token=58b392db-97db-4221-a4f5-ecacf70f5fc4) ### **Demo 2: Event clearing** **`Tactic`**`: Defense Evasion` **`Technique`**`: Indicator Removal on Host` ![Searching for Log Removal](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MRxPVP16LdaW9uCuTR-%2F-MRxPqj0RCmurxGiWajs%2Fimage.png?alt=media\&token=b112fd93-1b9b-46d9-adc0-a33eca16cd66) ### **Demo 3: Account manipulation** **`Tactic`**`: Credential Access` **`Technique`**`: Account Manipulation` ![Searching for Account Manipulation](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MRxPVP16LdaW9uCuTR-%2F-MRxPzgSqcGV1jAF3iWW%2Fimage.png?alt=media\&token=33cde5a0-23a6-4c49-8f81-4ce1c5bf4c2c) ## Windows EventIDs ![](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MRxQHIy9WqXYMk9ye1v%2F-MRxSFyigawqoU8aLLPq%2Fimage.png?alt=media\&token=aad26056-f098-4efa-9ff0-40cc3b8add78) ![](https://1771079106-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MQbAc68qKpvpcr7cwG8%2F-MRxSJifQm9Bz_RvkhQl%2F-MRxVHkIK11sspv0ZWVh%2Fimage.png?alt=media\&token=f2a10ed8-bd6d-448e-a953-009f5364ec26) [Click Here](https://medium.com/@hannahsuarez/what-are-the-top-eventlog-ids-and-id-groups-to-watch-out-for-indicators-of-compromise-or-93d961ff326d) ## ## References #### [4688 4738 4624 1102](https://www.splunk.com/en_us/blog/security/peeping-through-windows-logs.html) {% file src="" %} Windows Logs Explanation {% endfile %} ####