added win events
This commit is contained in:
parent
d797981a6d
commit
6bd59faa8f
|
@ -2,7 +2,8 @@
|
|||
|
||||
## Dump Logfile
|
||||
|
||||
Windows Event Logfiles can be dumped via
|
||||
Windows event logs can be found under `C:\Windows\System32\winevt\Logs`.
|
||||
Windows Event Logfiles can also be dumped via
|
||||
|
||||
```sh
|
||||
evtx_dump $EVENT_LOG > event.log
|
||||
|
@ -24,23 +25,41 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
|||
|
||||
### Process
|
||||
|
||||
* **1**: Process Creation
|
||||
* **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
|
||||
Sysmon -> Operational)
|
||||
* **4688**: Process Creation (Windows Logs -> Security)
|
||||
|
||||
### Files
|
||||
|
||||
* **11**: File opened
|
||||
* **11**: File opened (Applications & Services -> Microsoft -> Windows ->
|
||||
Sysmon -> Operational)
|
||||
* **4656**: File changed (Windows Logs -> Security)
|
||||
* **13**: Registry value set (Applications & Services -> Microsoft -> Windows ->
|
||||
Sysmon -> Operational)
|
||||
* **4657**: Registry value set (Windows Logs -> Security)
|
||||
|
||||
### Network
|
||||
|
||||
* **3** Network connection (Sysmon, path shown above)
|
||||
* **22** DNS query (Sysmon, path shown above)
|
||||
|
||||
### Account Management
|
||||
|
||||
The `subject` is the account doing an action on an `object`.
|
||||
|
||||
* **4719**: Attempt to change a policy
|
||||
* **4720**: User account creation
|
||||
* **4722**: User account enabled
|
||||
* **4723**: Attempt to change an account password. The user attempts to change their password
|
||||
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
|
||||
* **4723**: Attempt to change an account password. The user attempts to change
|
||||
their password
|
||||
* **4724**: Attempt to reset the account password. The user attempts to reset
|
||||
the password of another account
|
||||
* **4725**: Account disable
|
||||
* **4726**: Account removed from systemved from system
|
||||
* **4728**: Attempt to add an account to a global security group
|
||||
* **4729**: Attempt to remove an account from a global security group
|
||||
* **4732**: User was added to a security group (like Administrators)
|
||||
* **4733**: User was removed from a security group (like Administrators)
|
||||
* **4738**: User account properties were changed
|
||||
* **4740**: User account was locked after repeated attempt of access
|
||||
* **4756**: Attempt to add an account to a universal security group
|
||||
|
@ -50,11 +69,19 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
|||
|
||||
### Account Logon
|
||||
|
||||
* **4624**: Successful logon
|
||||
* **4625**: Failed logon
|
||||
These can be found via `Event Viewer` under `Windows Logs` -> `Security`.
|
||||
The `Logon ID` is the session identifier.
|
||||
|
||||
* **4624**: Successful logon/login
|
||||
* **4625**: Failed logon/login
|
||||
* **4634** and **4647**: Logoff
|
||||
* **4779**: Session disconnect
|
||||
|
||||
### Logon Types
|
||||
|
||||
* **10**: RDP
|
||||
* **3**: Network
|
||||
|
||||
### Scheduled Tasks
|
||||
|
||||
* **4698**: Scheduled task creation
|
||||
|
@ -71,6 +98,8 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
|||
|
||||
### Security
|
||||
|
||||
These can be found via `Event Viewer` under `Windows Logs` -> `Security`
|
||||
|
||||
* **1100**: Logging service disabled
|
||||
* **1102**: Log deletion
|
||||
* **1116**: Windows Defender Malware detection
|
||||
|
@ -87,6 +116,9 @@ Applications and Services Logs -> Windows Powershell and Apps and Services Logs
|
|||
* **600**: Opening Powershell
|
||||
* **4104**: Powershell command executed
|
||||
|
||||
In addition check Powershell's history file on path
|
||||
`C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt`
|
||||
|
||||
## RDP
|
||||
|
||||
Applications and Services Logs -> Microsoft -> Windows ->
|
||||
|
|
Loading…
Reference in New Issue