Windows Event ID 4906 – Microsoft-Windows-Security-Auditing: An attempt was made to register a security event source

Start by examining the specific details of the Event ID 4906 occurrence to understand what triggered the registration attempt.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4906 by right-clicking the Security log and selecting Filter Current Log
4. Enter 4906 in the Event IDs field and click OK
5. Double-click on a recent Event ID 4906 entry to view detailed information
6. Review the following key fields in the event details:
   • Process Name: The executable that initiated the registration
   • Process ID: The PID of the requesting process
   • Account Name: The user context under which the registration occurred
   • Source Name: The event source name being registered
7. Cross-reference the process name with known applications to verify legitimacy

Use PowerShell to programmatically analyze Event ID 4906 occurrences and extract detailed information for investigation.

1. Open PowerShell as Administrator
2. Query recent Event ID 4906 entries:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4906} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

3. Extract detailed event properties for analysis:

   $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4906} -MaxEvents 10
   foreach ($event in $events) {
       $eventXML = [xml]$event.ToXml()
       $processName = $eventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
       $sourceName = $eventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SourceName'} | Select-Object -ExpandProperty '#text'
       Write-Host "Time: $($event.TimeCreated) | Process: $processName | Source: $sourceName"
   }

4. Filter events by specific time range if investigating a particular incident:

   $startTime = (Get-Date).AddHours(-24)
   $endTime = Get-Date
   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4906; StartTime=$startTime; EndTime=$endTime}

5. Export results for further analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4906} -MaxEvents 50 | Export-Csv -Path "C:\Temp\Event4906_Analysis.csv" -NoTypeInformation

Examine the Windows Registry to verify the event source registrations and identify any suspicious or unauthorized entries.

1. Open Registry Editor by pressing Win + R, typing regedit, and pressing Enter
2. Navigate to the main Event Log registry location:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
3. Examine the Security subkey to see registered security event sources:
   HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security
4. Look for recently created or suspicious event source entries by checking:
   • Subkey names that don't match known applications
   • Event sources with unusual or generic names
   • Recently modified timestamps on registry keys
5. For each suspicious event source, examine the following registry values:
   • EventMessageFile: Points to the DLL containing event messages
   • TypesSupported: Defines what event types the source can generate
   • CategoryMessageFile: Specifies category message resources
6. Cross-reference the EventMessageFile path with the process that triggered Event ID 4906
7. Use PowerShell to query registry information programmatically:

   Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" | ForEach-Object {
       $sourceName = $_.PSChildName
       $messageFile = Get-ItemProperty -Path $_.PSPath -Name "EventMessageFile" -ErrorAction SilentlyContinue
       if ($messageFile) {
           Write-Host "Source: $sourceName | Message File: $($messageFile.EventMessageFile)"
       }
   }

Investigate the processes and files associated with Event ID 4906 to determine if the registration attempts are legitimate or potentially malicious.

1. Use Process Monitor (ProcMon) to monitor real-time registry and file activity during event source registrations
2. Download ProcMon from Microsoft Sysinternals if not already available
3. Configure ProcMon filters to focus on Event Log-related activity:
   • Set Process and Thread Activity filter to include registry operations
   • Add a Path filter containing "EventLog" to capture relevant registry access
   • Include file system activity for executables mentioned in Event ID 4906
4. Analyze the executable files that triggered the event source registration:

   # Get file information for processes that registered event sources
   $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4906} -MaxEvents 10
   foreach ($event in $events) {
       $eventXML = [xml]$event.ToXml()
       $processPath = $eventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
       if (Test-Path $processPath) {
           $fileInfo = Get-ItemProperty -Path $processPath
           $signature = Get-AuthenticodeSignature -FilePath $processPath
           Write-Host "File: $processPath"
           Write-Host "Version: $($fileInfo.VersionInfo.FileVersion)"
           Write-Host "Signature: $($signature.Status)"
           Write-Host "Signer: $($signature.SignerCertificate.Subject)"
           Write-Host "---"
       }
   }

5. Check Windows Defender or other security software logs for any detections related to the processes
6. Verify digital signatures and certificate validity for suspicious executables
7. Use Autoruns from Sysinternals to identify if any suspicious event sources are configured for automatic startup

Set up comprehensive monitoring for Event ID 4906 to detect unauthorized event source registrations and establish baseline behavior patterns.

1. Create a custom Windows Event Forwarding (WEF) subscription to centralize Event ID 4906 monitoring across multiple systems
2. Configure a scheduled task to run PowerShell monitoring scripts:

   # Create monitoring script: Monitor-EventSource4906.ps1
   $lastRun = Get-Date (Get-Content "C:\Scripts\LastRun.txt" -ErrorAction SilentlyContinue)
   if (-not $lastRun) { $lastRun = (Get-Date).AddHours(-1) }
   
   $newEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4906; StartTime=$lastRun}
   
   foreach ($event in $newEvents) {
       $eventXML = [xml]$event.ToXml()
       $processName = $eventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
       $sourceName = $eventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SourceName'} | Select-Object -ExpandProperty '#text'
       
       # Define whitelist of known good processes
       $knownProcesses = @('setup.exe', 'msiexec.exe', 'services.exe', 'svchost.exe')
       
       if ($processName -notin $knownProcesses) {
           # Send alert for unknown process registering event source
           Write-EventLog -LogName Application -Source "EventSourceMonitor" -EventId 1001 -EntryType Warning -Message "Unknown process $processName registered event source $sourceName"
       }
   }
   
   Get-Date | Out-File "C:\Scripts\LastRun.txt"

3. Set up Windows Task Scheduler to run the monitoring script every 15 minutes
4. Configure SIEM integration to collect and analyze Event ID 4906 patterns
5. Create baseline documentation of legitimate event sources in your environment
6. Implement Group Policy settings to restrict event source registration permissions where appropriate:
   • Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
   • Review and configure Generate security audits policy
7. Use Windows Performance Toolkit (WPT) for advanced event correlation and analysis in complex environments