Hello,
I tryed Binalyze DRONE and I have a few events flagged which I can not understand why.
Channel | Windows PowerShell |
Computer | XXXXXXX-PC |
Data | Alias, Started, ProviderName=Alias NewProviderState=Started SequenceNumber=3 HostName=ConsoleHost HostVersion=5.1.19041.906 HostId=b2d0120d-3ab2-4ae9-94b2-dac495b7cf16 HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine= |
Event ID | 600 |
Event Record ID | 2800 |
Level | 4 |
Time Created | 2021-05-30 07:53:28 |
Version | 0 |
Is there a good website to check what cause such events.
Some of the flagged entries make sence but some don't tell me nothing and I have no clue when they get triggered or what caused them.
Â
Â
Is there a good website to check what cause such events.
Yes, eventid.net
It has thrown a connection error a few minutes ago. Try later and check it.Â
But based on my experience: as long as it does not contain a base64 encoded payload, I would not worry about an entry in a Powershell log.
A lot of products fire up powershell commands. This one looks like "noise".
regards,
Robin
Ok that make sence in case of the event-ID 600 but I have many more things like:
Time Created | 2021-11-25 11:28:14 |
Level | 0 |
Version | 0 |
Event Record ID | 297838 |
Computer | XXXXXXX-PC |
Subject User SID | S-1-5-18 |
Subject User Name | XXXXXXX-PC$ |
Subject Domain Name | WORKGROUP |
Subject Logon ID | 999 |
Logon Guid | {00000000-0000-0000-0000-000000000000} |
Target User Name | XXXXXXX XXXXXXX |
Target Domain Name | XXXXXXX-PC |
Target Logon Guid | {00000000-0000-0000-0000-000000000000} |
Target Server Name | localhost |
Target Info | localhost |
Process ID | 1388 |
Process Name | C:\Windows\System32\svchost.exe |
IP Address | 127.0.0.1 |
IP Port | 0 |
How do you approach that things and how do you check what caused that?
That's for example an event ID which I do not have on my Win 10 workstations. That could be for example a login to a share but that would not come from 127.0.0.1, Port 0!
Or event-id 4625 (Login failed) which is caused by msedge.exe!
Or event-id 4624 (Login success) with type 0 (never seen that) and the user SYSTEM but no Process-Name.
Some of that things are "strange" but I am by no means an windows-expert. I am much more familiar with linux.
Â
Some of that things are "strange" but I am by no means an windows-expert. I am much more familiar with linux.
That was just a start of the super-service "svchost" with the credentials of SYSTEM on the local host. In your case I would recommend some good books about the basics of Windows operating systems. Windows is much more complex than Linux and has a different architecture.Â
Log entries like this are simply "noise" and you should have a few thousands of them - no worries.
The Windows System Internals books are a good beginning for someone coming from Linux/ Unix OS.
Regards, Robin Â
That was just a start of the super-service "svchost" with the credentials of SYSTEM on the local host.
Yes. I was pretty sure that this entry is nothing to worry about but I still try to understand why that is flagged...
I have 8000+ flagged entries and for 99% of them I don't see any reason why they are flagged as suspicious.
In your case I would recommend some good books about the basics of Windows operating systems. Windows is much more complex than Linux and has a different architecture.Â
I know that. Thanks for the Tip with the book - is looks interesting. If you have a few more books which you can recommand just let me know...
Log entries like this are simply "noise" and you should have a few thousands of them - no worries.
I have 8000+ such entries which look all like "noise" to me and I don't get the reason why 99% of them are flagged as suspicious. I was asking primary because I don't see any danger here and I where affraid that I overlooked something.
Â
Have you contacted the tool vendor? They might be able to provide some insight as to why their tool flagged this artifact.