Analyse de logs — Windows & Linux

Sources de logs critiques, event IDs Windows, syslog Linux, corrélations SOC

snippetintermediate 2025-05-13 5 min read

soclogswindowslinuxevent-idsysloginvestigation

Event IDs Windows critiques

| Event ID | Canal | Description | ATT&CK | |---|---|---|---| | 4624 | Security | Logon réussi (Type 2=interactif, 3=réseau, 10=remote) | T1078 | | 4625 | Security | Logon échoué — bruteforce indicator | T1110 | | 4648 | Security | Logon avec credentials explicites (runas) | T1134 | | 4672 | Security | Privilèges spéciaux assignés (admin logon) | T1078.002 | | 4688 | Security | Nouveau processus créé (nécessite audit activé) | T1059 | | 4698 | Security | Tâche planifiée créée | T1053.005 | | 4702 | Security | Tâche planifiée modifiée | T1053.005 | | 4720 | Security | Compte utilisateur créé | T1136.001 | | 4726 | Security | Compte utilisateur supprimé | T1531 | | 4728/4732 | Security | Membre ajouté à groupe privilégié | T1098 | | 4768 | Security | Ticket Kerberos TGT demandé (AS-REQ) | T1558 | | 4769 | Security | Ticket de service Kerberos demandé (TGS-REQ) | T1558.003 | | 4776 | Security | Auth NTLM — LSASS valide credentials | T1550.002 | | 7045 | System | Nouveau service installé | T1543.003 | | 1102 | Security | Journal d'audit effacé — indicator of attack | T1070.001 | | 4104 | PS/Operational | PowerShell ScriptBlock logging | T1059.001 | | 4103 | PS/Operational | PowerShell Module logging | T1059.001 |

Sources de logs Linux critiques

| Fichier / Source | Contenu | Commande utile | |---|---|---| | /var/log/auth.log | SSH, sudo, su, PAM auth | grep "Failed\|Accepted" /var/log/auth.log | | /var/log/syslog | Événements système généraux | grep "{{KEYWORD}}" /var/log/syslog | | /var/log/audit/audit.log | Auditd — syscalls, file access, exec | ausearch -ts today -i | | /var/log/secure (RHEL) | Équivalent auth.log sur RedHat/CentOS | journalctl _COMM=sshd | | journalctl | Journal systemd — tous services | journalctl -u sshd --since "1 hour ago" | | /var/log/wtmp | Historique des logins (binaire) | last -n 50 | | /var/log/btmp | Tentatives échouées (binaire) | lastb -n 50 | | /proc/[pid]/ | État en live d'un processus | ls -la /proc/{{PID}}/exe |

Splunk — Queries par scénario

Bruteforce / Credential Stuffing

splunk

# Windows — Bruteforce détection (>10 échecs en 5 min)
index=windows EventCode=4625 earliest=-1h
| bucket _time span=5m
| stats count by _time, IpAddress, TargetUserName
| where count > 10
| sort -count

splunk

# Windows — Spray de mot de passe (1 IP, many users)
index=windows EventCode=4625 earliest=-1h
| stats dc(TargetUserName) as unique_users, count by IpAddress
| where unique_users > 5
| sort -unique_users

Logons suspects

splunk

# Logon réseau (Type 3) hors horaires business
index=windows EventCode=4624 Logon_Type=3 earliest=-24h
| eval hour=strftime(_time, "%H")
| where hour < 7 OR hour > 19
| table _time, host, SubjectUserName, IpAddress, Logon_Type

splunk

# Nouveaux pays/IPs de connexion (nécessite lookup GeoIP)
index=windows EventCode=4624 earliest=-7d
| iplocation IpAddress
| stats dc(Country) as countries by SubjectUserName
| where countries > 2

Création de processus suspects (T1059)

splunk

# PowerShell avec arguments encodés — T1059.001
index=windows EventCode=4688 earliest=-24h
  (NewProcessName="*powershell.exe" OR NewProcessName="*pwsh.exe")
  CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*"
| table _time, host, SubjectUserName, ParentProcessName, CommandLine

splunk

# LOLBAS — Outils Windows détournés
index=windows EventCode=4688 earliest=-24h
  (NewProcessName="*mshta.exe" OR NewProcessName="*regsvr32.exe"
   OR NewProcessName="*certutil.exe" OR NewProcessName="*bitsadmin.exe"
   OR NewProcessName="*wscript.exe" OR NewProcessName="*cscript.exe")
  CommandLine="*http*" OR CommandLine="*\\\\*"
| table _time, host, SubjectUserName, NewProcessName, CommandLine

Persistance

splunk

# Tâche planifiée créée (T1053.005)
index=windows EventCode IN (4698, 4702) earliest=-24h
| table _time, host, SubjectUserName, TaskName, TaskContent

splunk

# Nouveau service installé (T1543.003)
index=windows EventCode=7045 earliest=-24h
| table _time, host, ServiceName, ServiceFileName, ServiceType, ServiceStartType, ServiceAccount

Audit log effacé

splunk

# Effacement du journal d'audit (T1070.001)
index=windows EventCode=1102 earliest=-7d
| table _time, host, SubjectUserName, SubjectDomainName
| sort _time

Elastic (KQL) — Requêtes équivalentes

kql

# Bruteforce Windows
event.code: "4625" and winlog.event_data.LogonType: "3"
# PowerShell encodé
event.code: "4688" and process.name: "powershell.exe" 
  and process.command_line: (*-enc* or *EncodedCommand*)
# Nouveau service
event.code: "7045"
# SSH Linux — auth réussie
event.dataset: "system.auth" and system.auth.ssh.event: "Accepted"
# Sudo sur Linux
event.dataset: "system.auth" and system.auth.sudo.command: *

kql

# Elastic — Lateral movement indicator
event.code: "4624" and winlog.event_data.LogonType: "3"
  and source.ip: not "127.0.0.1" and source.ip: not "::1"
  and winlog.event_data.TargetUserName: not "*$"

Corrélation — Mouvement latéral type

Pattern : 4624 Type 3 → 4688 nouveau process → 4624 Type 3 sur autre hôte

splunk

# Splunk — Corrélation mouvement latéral (transaction)
index=windows (EventCode=4624 OR EventCode=4688) earliest=-2h
| eval pivot_user=coalesce(SubjectUserName, TargetUserName)
| transaction pivot_user maxspan=30m startswith="EventCode=4624 AND Logon_Type=3"
| where eventcount > 2
| table _time, host, pivot_user, duration, eventcount

splunk

# Séquence : logon réseau → exécution → logon autre host
index=windows EventCode=4624 Logon_Type=3 earliest=-4h
| join type=inner IpAddress [
    search index=windows EventCode=4688
    | rename host as src_host
    | eval IpAddress=src_ip
  ]
| table _time, src_host, IpAddress, SubjectUserName, NewProcessName

Activation des logs critiques (Windows)

powershell

# Activer audit des créations de processus avec ligne de commande
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
# Activer PowerShell ScriptBlock Logging (Event 4104)
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
New-Item -Path $regPath -Force
Set-ItemProperty -Path $regPath -Name "EnableScriptBlockLogging" -Value 1
# Activer PowerShell Module Logging (Event 4103)
$regPath2 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging"
New-Item -Path $regPath2 -Force
Set-ItemProperty -Path $regPath2 -Name "EnableModuleLogging" -Value 1
Set-ItemProperty -Path "$regPath2\ModuleNames" -Name "*" -Value "*"
# Augmenter la taille des journaux Security
wevtutil sl Security /ms:1073741824  # 1 GB

bash

# Linux — Activer auditd pour surveillance des exécutions
cat >> /etc/audit/rules.d/soc.rules << 'EOF'
# Surveillance des exécutions
-a alwaysexit -F archb64 -S execve -k exec_commands
# Modifications sudoers
-w /etc/sudoers -p wa -k sudoers_change
# Accès /etc/passwd et /etc/shadow
-w /etc/passwd -p wa -k passwd_change
-w /etc/shadow -p wa -k shadow_change
EOF
augenrules --load

💡 Tip — Activer PowerShell ScriptBlock Logging (Event 4104) est l'une des améliorations de visibilité les plus impactantes sur Windows — il capture le script déobfusqué après interprétation, contournant les techniques d'obfuscation basiques. À combiner avec Constrained Language Mode pour un durcissement actif.

Sur cette page

Actions rapides

Exporter MD

OPS·BRAIN v1.075 notes · Securitylocal