Day-8: Correlating Multiple Event Sources

Objective: Simulate a small incident by correlating multiple event sources. Learners will use logs from previous days (login failures, PowerShell execution, WFP connections, account events) to reconstruct an attack timeline[3].

Challenge Description: An endpoint on the network shows signs of compromise: many failed logins (4625) were seen, followed by suspicious PowerShell commands and then a new user account appeared. Using the logs, identify the sequence of events to confirm a breach.

Tools: Event Viewer (Security, PowerShell logs), PowerShell.

---

⚙️ Simulation Setup — Generate the Events Before Analysis

💡 You’ll simulate a “mini attack” safely by creating the exact pattern of logs manually.

---

🔹 Step 1 — Simulate Login Failures (Event ID 4625)

1. On your WIN10-VM (joined to TALOSEC domain), open the login screen.

2. Attempt to sign in several times with the wrong password:

   Username: TALOSEC\Administrator
   Password: (enter wrong password 5–6 times)

✅ Result: Windows Server Security log records multiple Event ID 4625 – Failed logon attempts from WIN10-VM’s IP.

💡 You can verify later on DC01: Event Viewer → Windows Logs → Security → Filter → 4625

---

🔹 Step 2 — Simulate a Successful Login (Event ID 4624)

After the failed attempts, log in successfully with the correct credentials:

Username: TALOSEC\Administrator
Password: (correct password)

✅ Result: A 4624 (Successful logon) event is recorded for Administrator from the same client machine.

The Logon Type 3 (Network) or Type 10 (Remote Interactive) indicates RDP or remote access.

---

🔹 Step 3 — Simulate Suspicious PowerShell Use (Event ID 4103 / 4104)

On DC01 (or the logged-in host), open PowerShell (Admin) and run a few “malicious-looking” commands (harmless for testing):

New-LocalUser -Name "haxxor" -Password (ConvertTo-SecureString "P@ssword123" -AsPlainText -Force)
Add-LocalGroupMember -Group "Administrators" -Member "haxxor"

✅ Result: If PowerShell Script Block Logging (Day 3) is enabled, this generates:

• Event 4103 → Command pipeline execution

• Event 4104 → Script block logging (records the exact commands run)

You’ll see entries referencing New-LocalUser and Add-LocalGroupMember.

---

🔹 Step 4 — Simulate Account Creation and Privilege Assignment (Events 4720 / 4732)

The above PowerShell commands automatically generate:

• 4720 → User account created (haxxor)

• 4732 → Member added to Administrators group

✅ Check later: Event Viewer → Windows Logs → Security → Filter → 4720,4732

---

🔹 Step 5 — Simulate Outbound Network Connection (Event 5156)

To simulate potential C2 (Command & Control) traffic:

curl https://example.com --output $env:TEMP\out.html

or:

Start-BitsTransfer -Source "https://example.com" -Destination "$env:TEMP\bits.html"

✅ Result:

• Event ID 5156 recorded in Security log, showing outbound TCP connection from PowerShell or svchost.exe.

---

🔹 Step 6 — Wait a Minute, Then Proceed to Analysis

You’ve now generated all events that mimic an attacker chain:

1. 4625 – Multiple failed logons

2. 4624 – Successful login

3. 4103 / 4104 – Suspicious PowerShell

4. 4720 / 4732 – New admin user created

5. 5156 – Outbound connection to external IP

Step-by-step Instructions: 1. Find Login Failures: In the compromised host’s Security log, filter for Event ID 4625 (failed logons). Look for a burst of failures from one source. Note the Account Name and Source IP. For example, you might see 4625 events targeting Administrator. 2. Find Successful Login: Next filter for Event ID 4624 (successful logons) shortly after the failures. Confirm if the attacker eventually logged in (e.g., via remote desktop or network logon type). 3. Check PowerShell Logs: Open the PowerShell Operational log. Filter for any events (4103/4104) around the time of the login. Look for commands that might create users or download payloads (e.g., New-LocalUser, Invoke-WebRequest, Add-LocalGroupMember). 4. Review Account Events: As in Day 7, filter for 4720/4722/4728 around that timeframe. See if a new account was created or added to an admin group immediately after the PowerShell activity. 5. Review WFP Logs: Filter Security log for Event ID 5156 around the same time. Identify any unusual outbound connections made by the system after compromise (e.g., C2 traffic). 6. Interpret and Prioritize: Collate the evidence: multiple 4625 failures (indicative of brute force), then a successful logon (4624), a PowerShell script (4103/4104), and a new admin user (4720). This chain of events strongly indicates an attacker gained access and created persistence[3]. Prioritize these logs for alerting and trigger incident response procedures.

Simulated Output: Example findings might include: - 4625: Several failed attempts for Administrator from 10.1.1.50 (the attacker). - 4624: A successful network logon for Administrator from 10.1.1.50 at 20:02:15. - 4103: A PowerShell command on 20:03:00 running New-LocalUser -Name "haxxor" AccountPassword .... - 4720: On 20:03:01, user haxxor was created by Administrator.

Piecing this together, you see an attacker brute-forced Administrator, logged in, ran PowerShell to create a backdoor account, and then potentially used that account. An actual SOC analyst would now report this as a confirmed breach and start containment.

Each day’s lab above simulates a realistic SOC task using Event Viewer and PowerShell on Windows 10/11/Server 2022. The focus is on log review, filtering, and interpretation to detect suspicious activity. By practicing these steps and reviewing the example logs, learners build the habits of a SOC analyst: examining logs by event ID, prioritizing alerts (e.g. frequent 4625’s), and correlating multiple logs for comprehensive detection[3][2].