Understanding Windows security incidents

Making sense of security incidents

Security incidents occurring in Windows generally come in two critical types. The first is an isolated event that threatens the network integrity, such as an end user who has been granted sensitive privileges by accident. The other involves numerous failed log-on attempts, which indicates a possibility of perilous activity.

What is a security incident?

Security incidents are any event that potentially breaches an entity's sensitive data and ultimately saps their network integrity. Some widely known attacks include malware, social engineering, phishing scams, DDoS attacks, insider threat attacks, and password attacks to name a few. It's increasingly evident that businesses need to cast a larger net to detect such events and counter their security prowess.

Event IDs associated with security incidents and what do they mean

This section explores the critical Windows Event IDs that signify security incidents, offering insights into their implications and how they can be addressed.

An account failed to log on - Event ID 4625

This event gets logged in Windows whenever there's an unsuccessful log on request.

The probable causes for such an event occurring are:

• Username or password keyed in incorrectly: This is the most common reason for a failed log on. When an username or password gets entered incorrectly by an user, they are denied log in, and it's registered as an event log.
• Account is blocked due to numerous failed attempts: There are tailored policies in place for various organisations set by administrators to mitigate the security threats. One of the policies could deprive the user of his access privilege on the grounds that they've attempted to log in multiple times and failed in every instance.
• Username or password has expired: Security practices are tighter, and the demands of keeping the network free of threats called for consistent, more strict guidelines and norms. So, each user account has a tenure until which it is useable, and once the account nears the cusp of its expiration date, the user credentials must be changed for it to be operational again.
• Network communication failures: When one of the components in your network wanes, you'd invariably run into a failed log in. VPN settings configured erroneously, network devices experiencing issues, ISP downtime, and security protocols like SSL running on empty are some of the scenarios that cause the network to fall short on establishing successful user authentication.

Remediation techniques for Event ID 4625 using Windows avenues

There are native ways to get around the Event ID 4625 in your Windows environment. Attempt any of the solutions described below to try and fix the error.

• Clear expired credentials:
• With Credential Manager , you can access your stored usernames and passwords navigating through the Command Prompt.
• By prompting cmdkey /list command, a list of usernames of the stored credentials will show up.
• Followed by running rundll32 keyngr.dll KRShowKeyMgr command will give you the corresponding list of passwords.
• Flush the lapsed credentials out from the server and get your PC restarted.
• Rejoin the domain:
• Open the run command.
• Type in regedit into the dialog box. Navigate to the specified registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa in the Windows registry editor.
• Right-click on an empty space in the right pane of the Registry Editor . Select New from the context menu, and then select DWORD (32-bit) Value to rename it as 'LmCompatibilityLevel'.
• Double-click on the LmCompatibilityLevel DWORD you just created and type in 1 in the Value data field.
• Click OK to save the changes.
• Steer away from the NTLM protocol:

Microsoft has declared that they are slowly preparing to scrap NTLM from the further roll-outs as it is seen as an outdated protocol. It's vulnerable to brute-force attacks since its hashing algorithm is easily known, and passwords not being salted also makes it risky to have it manage your authentication processes.Therefore, you can deny all incoming NTLM traffic by running secpol.msc command.

A log on attempted using explicit credentials - Event ID 4648

This event occurs when an user attempts an account logon by providing the credentials affiliated with the concerned account explicitly. This event log helps you in authorizing personnel access to a greater extent and guard your high-value accounts.

Guarding against Event ID 4648 using Windows:

It's vital to take action to circumvent this event from happening as someone is trying to hack into your system using different or rather new credentials. You can attempt one of the below mentioned techniques to find a way around the issue:

• Flush out the account credentials masquerading as a legitimate user:
• Open Event Viewer by searching for it on the Windows Search bar. Select Security by expanding Windows logs that show up on the left-hand side of the menu.
• Look for Event ID 4648 through the list of logs and make note of the account name that caused the error.
• Open Control Panel and make sure the View by entry option in the dialog box is set to Large Icons.
• Select User Accounts from the myriad of options that show up in the dialog box. Open Manage Credentials on the left-hand side of the window and select Windows Credentials.
• From the list of user accounts shown, select the one that you want to be removed from your network.
• Turn off remote access:

You can promptly disable the Remote Access feature on your system by using the settings App.

• Open Settings and navigate to the System section.
• Get to the Remote Desktop option by scrolling down.
• Then, click on the toggle next to the Remote Desktop option to disable it.

Special privileges assigned to a new Logon - Event ID 4672

This event is registered when an user with administrator level privileges logs on to a system. The idea of this event log is to notify user logons that have sensitive privileges and add to vigilance over what transpires within the network.

Here's the complete list of privileged user accounts,

A logon of the system from any of the above accounts triggers the Event ID 4672.

Fixing Event ID 4672 with native workarounds

• Disable the antivirus software on your system.
• Close all the background apps running on your PC.
• Restart Windows in Safe Mode.

Try following the above mentioned steps before you turn to troubleshooting methods mentioned below:

• Update your BIOS:

Updating BIOS helps in keeping your system compatible through its life cycle. The BIOS upgrades are rolled out by manufacturers with the intent to negate advanced security threats.

• Uninstall recent Windows updates:
• Open Settings.
• Get to Windows Update and select Update history.
• Then, click the Uninstall Updates button and select the latest update.
• Click uninstall to confirm the selection.

This way, you can fix any issue with the last build leading to the error can be uninstalled.

• Update your GPU driver:

Updating your drivers timely will fix bugs affecting them and install the latest features to improve system performance. Check Update drivers manually in Windows for a walkthrough.

Kerberos authentication event - Event ID 4768

The event ID 4768 logs on domain controllers whenever the key distribution centre attempts to validate the credentials. If the credentials are deemed valid Kerberos Ticket Grant Ticket (TGT) is issued thereby logging a successful Kerberos Authentication Event. If the credentials are found to be invalid, a 4768 event will be logged with failure as the type.

Security mishaps are on the rise, and conquering the effective means to mitigate them is the need of the hour. Compliance mandates growing in sanctity have pushed businesses to adopt in-demand practices and techniques. On that note, monitoring all things events helps you pinpoint anomalies and attempts to abuse one's heightened privileges.

Resolving Event ID 4768 using native techniques

Ensure you've tried the below mentioned steps before heading on to troubleshoot the problem.

• Check if the Windows server is up to date.
• The server time has to be correct invariably.
• There are no hassles with network connectivity.

If you're still experiencing the error after following the steps, do attempt one of the solutions described below to try and troubleshoot the problem.

• Enable VPN:

Enabling a VPN connection for the other users in your system is one way to get around this event. When an user tries to access your system, they must use VPN to access the local network. Thus Kerberos authentication can be able to verify the credentials without any other problems, and no event ID 4768 will be stored.

• Uninstall troublesome updates:
• Open Control Panel.
• Go to Uninstall or change a program and click on View installed updates.
• Uninstall the update that's causing problems.
• Deploy a firewall:
• Open the Control panel and go to System and Security.
• Navigate to Windows Defender Firewall.
• Go to Advanced Settings.
• Configure Inbound and Outbound rules.

Using a firewall may prove to be the best option to block off any unsolicited requests coming in. Windows also provides you with an option of configuring the inbound and outbound rules on a server, which can be tailored to your needs.

A Kerberos service ticket request was raised - Event ID 4769

This event is generated when a Kerberos service ticket is requested. It packs all the information related to who requested it, where it originated from, and their security identifier. By logging a service ticket request, you can evaluate critical interactions between users and devices within your network.

By logging this event, you can stay vigilant on the activities of sensitive accounts like administrators and their counterparts and detect a security breach if one is made.

Resolving Event ID 4768 using Windows workarounds

• Enable the auditing of logon failures:
• Open Windows PowerShell and click run as administrator.
• Run auditpol /set /subcategory:”logon” /failure:enable command in the PowerShell window.

Once enabled, the system will begin to log events related to logon failures, which can help in identifying unauthorized access attempts.

• Reset Kerberos password:

Kerberoasting is a specific type of attack where the bad actor exploits the Kerberos protocol to harvest password hashes for Active Directory user accounts.

To fix this issue, you must reset the user’s password in Active Directory Users and Computers. These are privileges quite exclusive to the administrator, so you need to get in touch with a concerned personnel who's authorized and request a password reset.

• Fortify your authentication level:
• Open the Run command.
• Type gpedit.msc in the dialog box and press Enter to open the Group Policy Editor.
• Navigate to the following location: Computer Configuration/Windows Settings/ Security Settings/Local Policies/Security Options.
• Configure Kerberos encryption types by locating the policy which reads Network security: Configure encryption types allowed for Kerberos. Double-click on this policy to open its properties.
• In the Local Security Settings tab, select AES256_HMAC_SHA1.
• Click Apply, then OK to save the changes.

Troubleshooting security incidents using EventLog Analyzer

Eventlog Analyzer is a comprehensive log management tool that collects, monitors, correlates, and archives logs centrally from your network. It's a one-stop solution for your organization to troubleshoot errors, fortify your security posture, and help you stay compliant with the mandates.

Enhance security monitoring in EventLog Analyzer by setting up a custom alert profile for event IDs 4625, 4648, 4672, 4768, and 4769.

• Go to EventLog Analyzer → Alerts → Add Alert Profile.
• Select the Alert and Event ID from the respective drop-downs.
• Select Equals and add 4625. Repeat the process to add event IDs 4648, 4672, 4768, and 4769.
• Add other details like the alert name, severity, and log sources.
• Include the device name, user account, and domain in the alert message and enable notifications.
• The security admin getting the notifications can use the details in the alert message to check if these events were logged multiple times in the same system .

Best practices for event ID based security monitoring and remediation

• Centralized log management is a good way to start doing away with security incidents. By unifying logs in a centre that acts as a dome for all your data, you are staying one step ahead in reacting to activities that seem uncharacteristic.
• Lean onto SIEM solutions to automate security audits that makes it easier to correlate events and probe into loose ends.
• Configure settings to prioritize certain event IDs that are critical by nature and set up alarms when it comes up to promptly investigate them.
• Set up a custom alert for specific devices when it gets out of line and starts to act up.
• Emphasize timely reports on security events to get a view on patterns periodically and best ensure you're complaint with the growing number of cybersecurity mandates.

What's next: