Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Detect Unauthorized Access on Windows Machines?
November 16, 2023
|
19m

How to Detect Unauthorized Access on Windows Machines?


How To Detect Unauthorized Access On Windows Machines

Whatever the cyber incident or cybercrime may be, from social engineering to Advance Persistence Threats (APTs), one thing you would have noticed in common. That is unauthorized access. It is something every cyberattack either starts with or ends with. Unauthorized access is the most critical part of any cyberattack. Once the threat actor gains unauthorized access to a victim’s machine, it’s concluded as compromised. We hope anybody can understand what challenges unauthorized access brings to the victim. Rather than wasting time in getting into the implications, let’s learn a few ways to identify unauthorized access on Windows machines. We have kept this post exclusively for Microsoft Windows. We will publish how to detect unauthorized access on Linux and Mac in a different post. Let us help security professionals to learn how to detect unauthorized access on Windows platforms.

Before you jump in on how to detect unauthorized access on Windows platforms, it’s mandatory to know about the Event, Log, and Event IDs in Windows.

What is an Event, a Log, and an Event ID in Windows?

To tell more about an Event, a log, and an Event ID, an Event is a notification that something significant has occurred on a computer or network. It is usually triggered by an action taken by the user, such as starting a program, connecting to the internet, or performing some other task. When an event occurs, Windows records information about it in a Log file. The log contains details like what time the event occurred and which application was involved (if applicable). Event IDs are unique numbers assigned to each type of event that can occur on Windows systems. They enable administrators to quickly identify what kind of event has occurred and take appropriate action if necessary. Event IDs also make identifying patterns of suspicious activity easier for intrusion detection systems. By understanding Events, Logs, and Event IDs in Windows, system administrators can better monitor and maintain the health and security of their systems. They can also quickly identify, troubleshoot, or respond to any issues that arise from unexpected events or suspicious activity.

What is an Incident?

An Incident is an event or series of events that have caused a system to deviate from its expected behavior and compromise the security of the system. Incidents often involve malicious activity, such as unauthorized access, data breaches, and malware infections. 

As opposed to Events where Windows records information for auditing purposes, Incidents require more immediate attention and response. Security professionals and System administrators must identify incidents quickly in order to mitigate any damage caused by the malicious actor or software. They should then take steps to gather evidence related to the incident and plan for preventative measures so that similar incidents do not occur in the future. By recognizing incidents early on, system administrators can protect their systems better and ensure that they remain secure and stable going forward.

Unauthorized access is considered an incident in the cybersecurity world as it is something abnormal event which shouldn’t happen in normal circumstances. Any such violations are captured as incidents. A few good examples of security incidents are: 

  • A data breach at a large company that compromised sensitive customer information. 

  • An intentional attack on a government website disrupted services and caused significant financial damage. 

  • Unauthorized access to an employee’s computer allows a hacker to gain access to internal systems and confidential documents. 

  • A ransomware attack that encrypted corporate data, making it inaccessible until a ransom was paid. 

  • An attack on critical infrastructure caused widespread disruption and required costly repairs. 

  • A malicious insider with access to sensitive data who leaked the information to competitors or other parties. 

  • Phishing attacks tricked employees into divulging confidential login details or downloading malware onto their computers. 

  • A malicious insider exploited a vulnerability in the system to gain access to confidential information. 

  • An attack on an online banking website resulted in customers losing their money and identity theft. 

  • A distributed denial of service (DDoS) attack overwhelmed resources, making it impossible for legitimate users to connect. 

These are just some examples of serious security incidents that can have dire consequences for any organization or individual. It is, therefore, essential to put in place the necessary measures to protect your systems and data from malicious actors. 

Ways to Detect Unauthorized Access on Windows Machines

There could be several tools available to detect unauthorized access on Windows. The most basic and manual approach would be reviewing the logs. You could either use Windows’s native log viewer tool called Event Viewer, or you can go for third-party log management tools like Security Information and Event Management (SIEM) solutions, User Behavior Analytics (UBA), File Integrity Monitoring (FIM), Privileged Access Management (PAM), and many more.

Whatever may be the way, one thing you should have to start with is the logon types and associated Event IDs. In the Windows operating system, all logs are captured and monitored using the event viewer. Event ID is a numeric identifier that is assigned to specific events or occurrences within the system. Each event that occurs on a Windows computer is logged in the Event Viewer, and each log entry is associated with a unique Event ID. 

Event IDs are used to classify and categorize events, making it easier to locate and interpret them. They provide information about the source, nature, and severity of an event. Event IDs can range from 1 to 65,535 and are divided into different categories, including system events, application events, security events, and more.

Log On Types and Their Event IDs

The logon type is determined by the way in which the user logs on to the system. For example, if a user logs on to a system locally, the logon type will be “Interactive.” If a user logs on to a system remotely, the logon type will be “Network.”

The event ID is generated when a logon event occurs. The event ID can be used to identify the logon type, as well as other information about the logon event, such as the user name, the computer name, and the logon time.

In Windows, there are 11 different login types. The following table lists the logon types. If you want to get the matching Event IDs, please search the IDs from here. These logon types could be very helpful in detecting unauthorized access on Windows machines.

Logon TypeLogon TitleDescription
2InteractiveThis logon method is employed by batch servers, allowing scheduled tasks to be executed on behalf of a user   without requiring manual intervention.
3NetworkThis type of logon occurs when a user physically logon to the computer.
4batchLogon type for service accounts running services.
5ServiceLogon type for the user logging in using locally stored network credentials.
7UnlockLogon type when user unlocks   their machine
8Network CleartextLogon type when the user sends   network credentials in cleartext
9New CredentialsLogon type for ‘RunAs’ command   usage, to run an application
10Remote InteractiveLogon type when a used login   using a remote interactive session using terminal service or RDP
11Cached InteractiveLogon type for the user logging   in using locally stored network credentials.

Here you see the list of the most common Windows Event IDs:

Event Log, Source            EventID   EventID   Description
                           Pre-vista   Post-Vista
Security, Security               512   4608  Windows NT is starting up.
Security, Security               513   4609  Windows is shutting down.
Security, USER32                 ---   1074  The process nnn has initiated the restart of computer.
Security, Security               514   4610  An authentication package has been loaded by the Local Security Authority.
Security, Security               515   4611  A trusted logon process has registered with the Local Security Authority.
Security, Security               516   4612  Internal resources allocated for the queuing of audit messages
                                             have been exhausted, leading to the loss of some audits.
Security, Security               518   4614  A notification package has been loaded by the Security Account Manager.
Security, Security,              519   4615  A process is using an invalid local procedure call (LPC) port.
Security, Security               520   4616  The system time was changed.
Security, Security               521    ---  Unable to log events to security log.
Security, Security(Logon/Logoff) 528   4624  Successful Logon.
Security, Security(Logon/Logoff) 540   4624  Successful Network Logon.
Security, Security(Logon/Logoff) 529   4625  Logon Failure - Unknown user name or bad password.
Security, Security(Logon/Logoff) 530   4625  Logon Failure - Account logon time restriction violation.
Security, Security(Logon/Logoff) 531   4625  Logon Failure - Account currently disabled.
Security, Security(Logon/Logoff) 532   4625  Logon Failure - The specified user account has expired.
Security, Security(Logon/Logoff) 533   4625  Logon Failure - User not allowed to logon at this computer.
Security, Security(Logon/Logoff) 534   4625  Logon Failure - The user has not been granted the requested logon type
                                             at this machine.
Security, Security(Logon/Logoff) 535   4625  Logon Failure - The specified account's password has expired.
Security, Security(Logon/Logoff) 536   4625  Logon Failure - The NetLogon component is not active.
Security, Security(Logon/Logoff) 537   4625  Logon failure - The logon attempt failed for other reasons.
Security, Security(Logon/Logoff) 538   4634  User Logoff.
Security, Security(Logon/Logoff) 539   4625  Logon Failure - Account locked out.
Security, Security(Logon/Logoff) ---   4646  IKE DoS-prevention mode started.
Security, Security(Logon/Logoff) 551   4647  User initiated logoff.
Security, Security(Logon/Logoff) 552   4648  A logon was attempted using explicit credentials.
Security, Security(Logon/Logoff) 553   4649  A replay attack was detected.
Security, Security(Logon/Logoff) 601   4697  A service was installed in the system.
Security, Object access          ---   4688  A new process created.
Security, Object access          ---   4697  A new service installed.
Security, Object access          602   4698  A scheduled task was created.
Security, Object access          602   4699  A scheduled task was deleted.
Security, Object access          602   4700  A scheduled task was enabled.
Security, Object access          602   4701  A scheduled task was disabled.
Security, Object access          602   4702  A scheduled task was updated.
Security, Account Management     624   4720  User Account Created.
Security, Account Management     626   4722  User Account Enabled.
Security, Account Management     627   4723  Change Password Attempt.
Security, Account Management     628   4724  User Account password set.
Security, Account Management     629   4725  User Account Disabled.
Security, Account Management     630   4726  User Account Deleted.
Security, Account Management     636   4732  Local User Account Created.
Security, Account Management     642   4738  User Account Changed.
Security, Account Management     643   4739  GPO changed.
Security, Account Management     644   4740  User Account Locked Out.
Security, Account Management     645   4741  Computer Account Created.
Security, Account Management     646   4742  Computer Account Changed.
Security, Account Management     647   4743  Computer Account Deleted.
Security, Account Management     671   4767  A user account was unlocked.
Security, Security(Logon/Logoff) ---   4768  Kerberos TGT was requested.
Security, Security(Logon/Logoff) ---   4771  Kerberos pre-authentication failed.
Security, Security(Logon/Logoff) ---   4772  Kerberos TGT request failed.
Security, Security(Logon/Logoff) 678   4774  An account was mapped for logon.
Security, Security(Logon/Logoff) 679   4775  The name: %2 could not be mapped for logon by: %1
Security, Security(Logon/Logoff) 680   4776  Account Used for Logon by.
Security, Security(Logon/Logoff) 681   4777  The logon to account: %2 by: %1 from workstation: %3 failed.
Security, Security(Logon/Logoff) 682   4778  Session reconnected to winstation.
Security, Security(Logon/Logoff) 683   4779  Session disconnected from winstation.
Security, Security(Logon/Logoff) ---   4800  The workstation was locked.
Security, Security(Logon/Logoff) ---   4801  The workstation was unlocked.
Security, Security(Logon/Logoff) ---   4802  The screen saver was invoked.
Security, Security(Logon/Logoff) ---   4803  The screen saver was dismissed.
Security, Account Management     ---   5136  GPO changed.
Security, Account Management     ---   5137  GPO created.
Security, Account Management     ---   5141  GPO deleted.
System, EventLog,                6005  6005  The event log was started.  
System, EventLog,                6006  6006  The Event log service was stopped.
System, EventLog,                6013  6013  System uptime.
System, EventLog,                517   1102  The audit log was cleared.
System, EventLog,                ---   1104  The security Log is now full.
System, EventLog,                ---   1105  Event log automatic backup.
System, EventLog,                ---   1108  The event logging service encountered an error.
System, Service Control Manager  7035  7035  The nnn service was successfully sent a start/Stop control.
System, Service Control Manager  7036  7036  The nnn service entered the Running/Stopped state.
System, W32Time,                  29     29  The time provider NtpClient is configured to acquire time from
                                             one or more time sources; however none of the sources are currently accessible.
System, W32Time,                  38     38  The time provider NtpClient cannot reach or is currently receiving invalid time data.
System, W32Time,                  47     47  Time Provider NtpClient: No valid response received.
External media detection          --     43  new device information.
External media detection          --     400 new mass storage installation.
Software and service installation --     903,903 new application installation.
Software and service installation --     905,906 updated application.
Software and service installation --     907,908 removed application.
Software and service installation --     1022,1033 new MSI file installed.
Software and service installation --     6  new kernel filter driver.

A few Use Cased Help to Detect Unauthorized Access on a Windows Machine

Since we are familiar with the event ID and the logon types, let’s see a few use cases that helps identify Unauthorized Access tracking Event ID.

Pass the Hash Attack

A Pass-the-Hash (PtH) attack is a method used by attackers to gain unauthorized access to networked systems by capturing and utilizing password hashes instead of actual password characters. This technique allows them to authenticate and move laterally within the network without needing to decrypt the hash to obtain the plaintext password.

PtH attacks take advantage of the static nature of password hashes during sessions until the password is changed. Attackers often acquire hashes by extracting them from a system’s active memory and employing various other techniques.

 No.Description
Event ID4624An account was successfully  logged on
Logon Type3A user or computer logged on to  this computer from the network.

Additional things to check: Logon Process to be NtLmSsP and key length to be 0.

To mitigate the impact of a PtH attack, consider implementing the following security best practices:

  1. Least Privilege Security Model: Restrict and minimize admin rights to limit the attacker’s ability to escalate privileges and access sensitive resources.

  2. Password Management Solutions: Regularly rotate passwords, especially after a known credential compromise, to reduce the validity period of stolen hashes. Automating password rotation after each privileged session can effectively counter PtH attacks and exploits relying on password reuse.

  3. Separation of Privileges: Segregate different types of privileged and non-privileged accounts to minimize the usage of administrator accounts. This reduces the risk of compromise and opportunities for lateral movement within the network.

Golden Ticket attack

A Golden Ticket attack refers to a scenario where an attacker gains extensive access to an organization’s domain, including devices, files, and domain controllers, by exploiting user data stored in Active Directory.

How the attack works:

  1. Kerberos Authentication: Kerberos is a system used to verify a user’s identity and provide secure access to resources without requiring multiple credential requests. It uses the Kerberos Key Distribution Center (KKDC) to protect and validate user identity.

  2. Ticket-Granting Server (TGS): The TGS, a component of KKDC, connects users to the relevant services by granting them access tickets based on their authenticated identity.

  3. Authentication Server (AS): The AS performs the initial authentication of the user and issues a Kerberos Ticket Grant Ticket (TGT) upon successful authentication. The TGT serves as proof of the user’s authentication.

  4. Golden Ticket Attack: In a Golden Ticket attack, the attacker obtains specific information, including the fully qualified domain name, security identifier of the domain, KRBTGT password hash, and the username of the account holder. With this information, the attacker can generate forged Kerberos tickets, granting them extensive access within the domain.

  5. Exploiting Kerberos Database: To carry out a Golden Ticket attack, the attacker typically extracts passwords or password hashes from the Kerberos database, allowing them to impersonate authorized users and gain unauthorized access to resources. 

In summary, Kerberos authentication is designed to securely verify user identities and provide access tickets. However, a Golden Ticket attack exploits weaknesses in the system to generate forged tickets, granting unauthorized access to an organization’s domain.

 Other than these event IDs, we can also look for

  • Any tampering observed on the NTDS.DIT file saved in the domain controller

  • Suspicious login attempts: Examples include unauthorized usage of admin privileges by a user who should be on leave.

  • Mimikatz: A tool employed to extract credentials from system memory and carry out DCSync attacks, posing a security risk.

Hunting for RDP Sessions

Even though the remote connection of devices is a very efficient technology, it can also be a potential threat if proper precautionary measures are not taken care of.

We can check for unauthorized RDP connections via the below logs.

  1. RDP Logs: Check logs for unusual activity, like failed or frequent login attempts or logins from unfamiliar IP addresses, which may indicate unauthorized RDP access attempts.

  2. Event Logs: Examine event logs to identify suspicious activities, such as repeated logins from the same IP address or logins at unusual times, helping you track unauthorized RDP access attempts.

  3. Network Traffic: Analyze network traffic, particularly RDP traffic, to detect any unusual patterns or large amounts of data transferred to/from specific IP addresses using tools like Wireshark.

  4. Unusual Processes: Look for abnormal processes or services on the system, as attackers may install malicious software to maintain access. Tools like Process Explorer or Task Manager can help identify these processes.

  5. Unusual Files: Search for unfamiliar files that may indicate malicious activity, such as files with strange names or extensions, as attackers may add new files or create new user accounts on the compromised system.

Event IDDescription
4624An account  was successfully logged on
21RDP  session logon success
24RDP  session has been disconnected
4778Session reconnected
4779Session  disconnected
10A user  logged on to this computer using Terminal service or RDP

To monitor for unauthorized RDP connections, we can also look for

  • Monitor for failed login attempts: Keep an eye on the Windows Security event logs for Event ID 4625, which signifies a failed login attempt. You can filter the events to show only logon events and look for events with Logon Type 10, indicating an RDP logon. Multiple failed login attempts from the same IP address or user account may suggest a brute-force attack.

  • Monitor for successful login attempts: Monitor the Windows Security event logs for Event ID 4624, indicating a successful login. Look for events with Logon Type 10, representing an RDP logon. Also, watch out for successful logon attempts from unusual IP addresses or user accounts.

  • Monitor for unusual login times: Check the “Logon Time” field in Event ID 4624 to identify unusual login times for RDP sessions. Compare these times with normal business hours to identify suspicious activity.

  • Monitor for logon events from unusual locations: Look for logon events in the Windows Security event logs that occur from unfamiliar IP addresses. Use the “IpAddress” field to identify logon events from unusual locations.

  • Monitor for changes to RDP-related settings: Keep track of Windows System event logs for any changes to RDP-related settings. Look for Event ID 4719, indicating a change to the audit policy.

  • Monitor for changes to account permissions: Watch for changes to account permissions associated with RDP logins. Look for Event ID 4732, indicating a modification in user permissions.

 No.Description
Event ID4624An account  was successfully logged on
Event ID21RDP  session logon success
Event ID24RDP  session has been disconnected
Event ID4778Session reconnected
Event ID4779Session  disconnected
Logon Type10A user  logged on to this computer using Terminal service or RDP

A Few Common Ways Attackers Use to Gain Unauthorized Access

As we said earlier, unauthorized access is a common goal for many cyber attacks. Here are the common techniques that attackers use to gain unauthorized access:

  1. Password attacksAttackers may use brute force or dictionary attacks to guess or crack passwords, allowing them to gain unauthorized access to a system.

  2. Malware attacks: Attackers may use malware, such as keyloggers or remote access trojans, to gain unauthorized access to a system. Once access is gained, the attacker may be able to steal sensitive data or use the system to launch further attacks.

  3. Social engineering attacks: Attackers may use social engineering tactics, such as phishing or pretexting, to trick users into revealing login credentials or other sensitive information.

  4. Zero-day or known vulnerability exploitation: Attackers may exploit vulnerabilities to gain unauthorized access to a system.

  5. Insider attacks: Insider attacks occur when an authorized user abuses their access privileges to gain unauthorized access to a system or steal sensitive data.

  6. Privilege escalation attacks: Attackers may use privilege escalation techniques to gain elevated permissions on a system, allowing them to access sensitive data or perform malicious actions.

General Guidelines to be Protected from Unauthorized Access Attacks

Upon looking at some of the attack use cases and common ways to attackers use to gain unauthorized access, it’s time to look at some guidelines to help protect against unauthorized access attacks:

  1. Use strong passwords: Use strong, complex passwords that are difficult to guess. Consider using a password manager to generate and store passwords securely.

  2. Implement access controls: Implement access controls, such as user permissions and role-based access controls, to ensure that users have the appropriate level of access.

  3. Use multi-factor authentication: Use multi-factor authentication (MFA) to add an extra layer of security to user logins.

  4. Regularly update software and systems: Regularly update software and systems to ensure that known vulnerabilities are patched, and security updates are applied.

  5. Use introduction detection systems: Use IPS solutions to detect introduction in the network and Windows.

  6. Monitor user activity: Monitor user activity, such as logon/logoff events and file access, to detect suspicious activity using SIEM, UBA, and Event Viewer.

  7. Educate users on security best practices: Educate users on security best practices, such as how to identify phishing emails and how to create strong passwords.

  8. Conduct regular security assessments: Conduct regular security assessments to identify vulnerabilities and potential security risks, allowing organizations to take proactive steps to prevent unauthorized access.

We hope this post helps in learning how to detect unauthorized access on Windows machines, common attacks to achieve unauthorized access, and some general guidelines to implement against those attacks. Thanks for reading this post. Please share this post and help to secure the digital world. Visit our website thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium, and subscribe to receive updates like this.  

You may also like these articles:

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

How To

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe