Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

Triaging Windows Event Logs for Ransomware Investigations

Download File
Triaging Windows Event Logs for Ransomware Investigations (PDF, 2.73MB)Published: 27 Jun, 2022
Created by:
Perumal P S

Ransomware attacks on organizations will disrupt their day-to-day operations causing significant inconvenience, especially if they provide critical services to the people. With the increasing number of ransomware attacks, it is of paramount importance to identify the ransomware characteristics during the preliminary investigation stage. This is critical in a heavily networked infrastructure where if the ransomware has been detected in one system, it could still spread to other systems in the network or continue residing in them. This has to be done in a fast and timely manner to prevent the spread or other similar attacks. Using the newest operating system, Windows 11 with its inbuilt Microsoft Defender Anti-Virus, 37 ransomware variants from the different families were tested. Windows Events logs generated and forwarded to a centralized log server were analyzed for logs generated during detection, removal or successful execution or other characteristics. In summary 28 out of 37 variants were detected by the Microsoft Defender and generated event logs with Event ID 1116 and 1117 containing critical information like signature name, path, detection name, and user. The remaining 9 variants were undetected and generated logs with Event ID 1, 1000 or 1109 where it either crashed (1 variant), could not run due to compatibility issues (4 variants), memory issue (1 variant), or executed and encrypted files successfully (3 variants). This is useful for forensics investigators during the triage period to focus on these event logs to get the necessary information to track down the origin and path of ransomware and also scanning the network where the ransomware could still be residing in other devices that may have failed execution. The info would also aid in the post-investigation phase where the necessary teams like Security Information and Event Management (SIEM) teams to get more information about the ransomware and build different use cases for early detection and prevention by the Security Operations Centers (SOCs).