--- title: "Analyse de logs — Windows & Linux" domain: security subdomain: soc phase: 02-investigation type: snippet tags: [soc, logs, windows, linux, event-id, syslog, investigation] difficulty: intermediate status: stable updated: "2025-05-13" --- ## Event IDs Windows critiques | Event ID | Canal | Description | ATT&CK | |---|---|---|---| | **4624** | Security | Logon réussi (Type 2=interactif, 3=réseau, 10=remote) | T1078 | | **4625** | Security | Logon échoué — bruteforce indicator | T1110 | | **4648** | Security | Logon avec credentials explicites (runas) | T1134 | | **4672** | Security | Privilèges spéciaux assignés (admin logon) | T1078.002 | | **4688** | Security | Nouveau processus créé (nécessite audit activé) | T1059 | | **4698** | Security | Tâche planifiée créée | T1053.005 | | **4702** | Security | Tâche planifiée modifiée | T1053.005 | | **4720** | Security | Compte utilisateur créé | T1136.001 | | **4726** | Security | Compte utilisateur supprimé | T1531 | | **4728/4732** | Security | Membre ajouté à groupe privilégié | T1098 | | **4768** | Security | Ticket Kerberos TGT demandé (AS-REQ) | T1558 | | **4769** | Security | Ticket de service Kerberos demandé (TGS-REQ) | T1558.003 | | **4776** | Security | Auth NTLM — LSASS valide credentials | T1550.002 | | **7045** | System | Nouveau service installé | T1543.003 | | **1102** | Security | Journal d'audit effacé — indicator of attack | T1070.001 | | **4104** | PS/Operational | PowerShell ScriptBlock logging | T1059.001 | | **4103** | PS/Operational | PowerShell Module logging | T1059.001 | --- ## Sources de logs Linux critiques | Fichier / Source | Contenu | Commande utile | |---|---|---| | `/var/log/auth.log` | SSH, sudo, su, PAM auth | `grep "Failed\|Accepted" /var/log/auth.log` | | `/var/log/syslog` | Événements système généraux | `grep "{{KEYWORD}}" /var/log/syslog` | | `/var/log/audit/audit.log` | Auditd — syscalls, file access, exec | `ausearch -ts today -i` | | `/var/log/secure` (RHEL) | Équivalent auth.log sur RedHat/CentOS | `journalctl _COMM=sshd` | | `journalctl` | Journal systemd — tous services | `journalctl -u sshd --since "1 hour ago"` | | `/var/log/wtmp` | Historique des logins (binaire) | `last -n 50` | | `/var/log/btmp` | Tentatives échouées (binaire) | `lastb -n 50` | | `/proc/[pid]/` | État en live d'un processus | `ls -la /proc/{{PID}}/exe` | --- ## Splunk — Queries par scénario ### Bruteforce / Credential Stuffing ```splunk # Windows — Bruteforce détection (>10 échecs en 5 min) index=windows EventCode=4625 earliest=-1h | bucket _time span=5m | stats count by _time, IpAddress, TargetUserName | where count > 10 | sort -count ``` ```splunk # Windows — Spray de mot de passe (1 IP, many users) index=windows EventCode=4625 earliest=-1h | stats dc(TargetUserName) as unique_users, count by IpAddress | where unique_users > 5 | sort -unique_users ``` ### Logons suspects ```splunk # Logon réseau (Type 3) hors horaires business index=windows EventCode=4624 Logon_Type=3 earliest=-24h | eval hour=strftime(_time, "%H") | where hour < 7 OR hour > 19 | table _time, host, SubjectUserName, IpAddress, Logon_Type ``` ```splunk # Nouveaux pays/IPs de connexion (nécessite lookup GeoIP) index=windows EventCode=4624 earliest=-7d | iplocation IpAddress | stats dc(Country) as countries by SubjectUserName | where countries > 2 ``` ### Création de processus suspects (T1059) ```splunk # PowerShell avec arguments encodés — T1059.001 index=windows EventCode=4688 earliest=-24h (NewProcessName="*powershell.exe" OR NewProcessName="*pwsh.exe") CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*" | table _time, host, SubjectUserName, ParentProcessName, CommandLine ``` ```splunk # LOLBAS — Outils Windows détournés index=windows EventCode=4688 earliest=-24h (NewProcessName="*mshta.exe" OR NewProcessName="*regsvr32.exe" OR NewProcessName="*certutil.exe" OR NewProcessName="*bitsadmin.exe" OR NewProcessName="*wscript.exe" OR NewProcessName="*cscript.exe") CommandLine="*http*" OR CommandLine="*\\\\*" | table _time, host, SubjectUserName, NewProcessName, CommandLine ``` ### Persistance ```splunk # Tâche planifiée créée (T1053.005) index=windows EventCode IN (4698, 4702) earliest=-24h | table _time, host, SubjectUserName, TaskName, TaskContent ``` ```splunk # Nouveau service installé (T1543.003) index=windows EventCode=7045 earliest=-24h | table _time, host, ServiceName, ServiceFileName, ServiceType, ServiceStartType, ServiceAccount ``` ### Audit log effacé ```splunk # Effacement du journal d'audit (T1070.001) index=windows EventCode=1102 earliest=-7d | table _time, host, SubjectUserName, SubjectDomainName | sort _time ``` --- ## Elastic (KQL) — Requêtes équivalentes ```kql # Bruteforce Windows event.code: "4625" and winlog.event_data.LogonType: "3" # PowerShell encodé event.code: "4688" and process.name: "powershell.exe" and process.command_line: (*-enc* or *EncodedCommand*) # Nouveau service event.code: "7045" # SSH Linux — auth réussie event.dataset: "system.auth" and system.auth.ssh.event: "Accepted" # Sudo sur Linux event.dataset: "system.auth" and system.auth.sudo.command: * ``` ```kql # Elastic — Lateral movement indicator event.code: "4624" and winlog.event_data.LogonType: "3" and source.ip: not "127.0.0.1" and source.ip: not "::1" and winlog.event_data.TargetUserName: not "*$" ``` --- ## Corrélation — Mouvement latéral type Pattern : `4624 Type 3` → `4688 nouveau process` → `4624 Type 3 sur autre hôte` ```splunk # Splunk — Corrélation mouvement latéral (transaction) index=windows (EventCode=4624 OR EventCode=4688) earliest=-2h | eval pivot_user=coalesce(SubjectUserName, TargetUserName) | transaction pivot_user maxspan=30m startswith="EventCode=4624 AND Logon_Type=3" | where eventcount > 2 | table _time, host, pivot_user, duration, eventcount ``` ```splunk # Séquence : logon réseau → exécution → logon autre host index=windows EventCode=4624 Logon_Type=3 earliest=-4h | join type=inner IpAddress [ search index=windows EventCode=4688 | rename host as src_host | eval IpAddress=src_ip ] | table _time, src_host, IpAddress, SubjectUserName, NewProcessName ``` --- ## Activation des logs critiques (Windows) ```powershell # Activer audit des créations de processus avec ligne de commande auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable # Activer PowerShell ScriptBlock Logging (Event 4104) $regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" New-Item -Path $regPath -Force Set-ItemProperty -Path $regPath -Name "EnableScriptBlockLogging" -Value 1 # Activer PowerShell Module Logging (Event 4103) $regPath2 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" New-Item -Path $regPath2 -Force Set-ItemProperty -Path $regPath2 -Name "EnableModuleLogging" -Value 1 Set-ItemProperty -Path "$regPath2\ModuleNames" -Name "*" -Value "*" # Augmenter la taille des journaux Security wevtutil sl Security /ms:1073741824 # 1 GB ``` ```bash # Linux — Activer auditd pour surveillance des exécutions cat >> /etc/audit/rules.d/soc.rules << 'EOF' # Surveillance des exécutions -a always,exit -F arch=b64 -S execve -k exec_commands # Modifications sudoers -w /etc/sudoers -p wa -k sudoers_change # Accès /etc/passwd et /etc/shadow -w /etc/passwd -p wa -k passwd_change -w /etc/shadow -p wa -k shadow_change EOF augenrules --load ``` Activer PowerShell ScriptBlock Logging (Event 4104) est l'une des améliorations de visibilité les plus impactantes sur Windows — il capture le script déobfusqué après interprétation, contournant les techniques d'obfuscation basiques. À combiner avec Constrained Language Mode pour un durcissement actif.