Skip to main content

If you suspect you’ve been hit by a cyber attack or ransomware, analyzing your event logs is crucial for identifying the scope and nature of the incident. Here are some key logs to focus on:

 

Windows Event Logs:

Security: Look for events related to unauthorized access attempts, privilege escalation, account lockouts, and changes to security settings. Event IDs like 4624, 4625, 4648, 4672, and 4768 can be particularly indicative.

System: Events related to unexpected system restarts, driver loading, and service creation can be red flags. Pay attention to IDs like 7045, which indicates a service was created, and 7040, which signifies a logon attempt.

Application: Monitor for events related to unusual application activity, crashes, and suspicious file access. Look for events mentioning unfamiliar applications or unexpected file modifications.

 

Linux Syslogs:

/var/log/auth.log: Similar to Windows Security logs, this file tracks authentication attempts, unauthorized access, and privilege escalation.

/var/log/syslog: This central log file may contain entries related to suspicious network activity, unexpected processes, and resource exhaustion.

/var/log/messages: This general log file can also reveal clues about unusual system behavior, application errors, and potential malware execution.

 

Additional Logs:

  • Network device logs: Routers, firewalls, and intrusion detection/prevention systems (IDS/IPS) may log suspicious network traffic, unauthorized connections, and attempts to exploit vulnerabilities.

 

  • Endpoint security logs: Antivirus and endpoint detection and response (EDR) software may log suspicious file activity, malware detections, and blocked processes.

 

  • Application logs: Logs from specific applications you use, like web servers or databases, can reveal unauthorized access attempts, data breaches, or unusual activity.

 

Remember:

  • Correlate events: Don’t analyze logs in isolation. Look for patterns and connections across different logs to paint a clearer picture of the attack.

 

  • Seek expert help: If you’re unsure about interpreting logs or the extent of the attack, consult cybersecurity professionals for assistance.

 

  • Act quickly: The sooner you identify and contain a cyber attack, the less damage it can cause.

 

By carefully analyzing your event logs, you can gain valuable insights into the nature of the attack and take steps to mitigate the damage and prevent future incidents.

You can also analyze your logs with chainsaw. I’ve used this for years and find it very useful. I may add a blog and some realtime examples later.

https://github.com/WithSecureLabs/chainsaw

jT @majorjoker

 

Leave a Reply