Notifications
Clear all

Windows Eventlog

6 Posts
3 Users
0 Reactions
2,578 Views
(@pgd1983)
Active Member
Joined: 4 years ago
Posts: 13
Topic starter  

Hello,

I tryed Binalyze DRONE and I have a few events flagged which I can not understand why.

Channel Windows PowerShell
Computer XXXXXXX-PC
Data Alias, Started, ProviderName=Alias NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=5.1.19041.906 HostId=b2d0120d-3ab2-4ae9-94b2-dac495b7cf16 HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
Event ID 600
Event Record ID 2800
Level 4
Time Created 2021-05-30 07:53:28
Version 0

Is there a good website to check what cause such events.

Some of the flagged entries make sence but some don't tell me nothing and I have no clue when they get triggered or what caused them.

 

 


   
Quote
Bunnysniper
(@bunnysniper)
Reputable Member
Joined: 12 years ago
Posts: 259
 
Posted by: @pgd1983

Is there a good website to check what cause such events.

Yes, eventid.net
It has thrown a connection error a few minutes ago. Try later and check it. 
But based on my experience: as long as it does not contain a base64 encoded payload, I would not worry about an entry in a Powershell log.
A lot of products fire up powershell commands. This one looks like "noise".

regards,
Robin


   
ReplyQuote
(@pgd1983)
Active Member
Joined: 4 years ago
Posts: 13
Topic starter  

Ok that make sence in case of the event-ID 600 but I have many more things like:

Time Created 2021-11-25 11:28:14
Level 0
Version 0
Event Record ID 297838
Computer XXXXXXX-PC
Subject User SID S-1-5-18
Subject User Name XXXXXXX-PC$
Subject Domain Name WORKGROUP
Subject Logon ID 999
Logon Guid {00000000-0000-0000-0000-000000000000}
Target User Name XXXXXXX XXXXXXX
Target Domain Name XXXXXXX-PC
Target Logon Guid {00000000-0000-0000-0000-000000000000}
Target Server Name localhost
Target Info localhost
Process ID 1388
Process Name C:\Windows\System32\svchost.exe
IP Address 127.0.0.1
IP Port 0

How do you approach that things and how do you check what caused that?

That's for example an event ID which I do not have on my Win 10 workstations. That could be for example a login to a share but that would not come from 127.0.0.1, Port 0!

Or event-id 4625 (Login failed) which is caused by msedge.exe!

Or event-id 4624 (Login success) with type 0 (never seen that) and the user SYSTEM but no Process-Name.

Some of that things are "strange" but I am by no means an windows-expert. I am much more familiar with linux.

This post was modified 3 years ago by pgd1983

   
ReplyQuote
Bunnysniper
(@bunnysniper)
Reputable Member
Joined: 12 years ago
Posts: 259
 
Posted by: @pgd1983

 

Some of that things are "strange" but I am by no means an windows-expert. I am much more familiar with linux.

That was just a start of the super-service "svchost" with the credentials of SYSTEM on the local host. In your case I would recommend some good books about the basics of Windows operating systems. Windows is much more complex than Linux and has a different architecture. 
Log entries like this are simply "noise" and you should have a few thousands of them - no worries.

The Windows System Internals books are a good beginning for someone coming from Linux/ Unix OS.

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (7th Edition) by Pavel Yosifovich Mark E. Russinovich David A. Solomon Alex Ionescu(2017-05-15) : Pavel Yosifovich Mark E. Russinovich David A. Solomon Alex Ionescu: Amazon.de: Bücher

Regards, Robin  


   
ReplyQuote
(@pgd1983)
Active Member
Joined: 4 years ago
Posts: 13
Topic starter  

That was just a start of the super-service "svchost" with the credentials of SYSTEM on the local host.

Yes. I was pretty sure that this entry is nothing to worry about but I still try to understand why that is flagged...

I have 8000+ flagged entries and for 99% of them I don't see any reason why they are flagged as suspicious.

In your case I would recommend some good books about the basics of Windows operating systems. Windows is much more complex than Linux and has a different architecture. 

I know that. Thanks for the Tip with the book - is looks interesting. If you have a few more books which you can recommand just let me know...

Log entries like this are simply "noise" and you should have a few thousands of them - no worries.

I have 8000+ such entries which look all like "noise" to me and I don't get the reason why 99% of them are flagged as suspicious. I was asking primary because I don't see any danger here and I where affraid that I overlooked something.

 

This post was modified 3 years ago by pgd1983

   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 20 years ago
Posts: 3568
 

Have you contacted the tool vendor? They might be able to provide some insight as to why their tool flagged this artifact.


   
ReplyQuote
Share: