added win events

Forensics/Windows Event Logs.md

@@ -2,7 +2,8 @@
 
 ## Dump Logfile
 
-Windows Event Logfiles can be dumped via
+Windows event logs can be found under `C:\Windows\System32\winevt\Logs`.
+Windows Event Logfiles can also be dumped via
 
 ```sh
 evtx_dump $EVENT_LOG > event.log
@@ -24,23 +25,41 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 
 ### Process
 
-* **1**: Process Creation
+* **1**: Process Creation (Applications & Services -> Microsoft -> Windows ->
+  Sysmon -> Operational)
+* **4688**: Process Creation (Windows Logs -> Security)
 
 ### Files
 
-* **11**: File opened
+* **11**: File opened (Applications & Services -> Microsoft -> Windows ->
+  Sysmon -> Operational)
+* **4656**: File changed (Windows Logs -> Security)
+* **13**: Registry value set (Applications & Services -> Microsoft -> Windows ->
+  Sysmon -> Operational)
+* **4657**: Registry value set (Windows Logs -> Security)
+
+### Network
+
+* **3** Network connection (Sysmon, path shown above)
+* **22** DNS query (Sysmon, path shown above)
 
 ### Account Management
 
+The `subject` is the account doing an action on an `object`.
+
 * **4719**: Attempt to change a policy
 * **4720**: User account creation
 * **4722**: User account enabled
-* **4723**: Attempt to change an account password. The user attempts to change their password
-* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
+* **4723**: Attempt to change an account password. The user attempts to change
+  their password
+* **4724**: Attempt to reset the account password. The user attempts to reset
+  the password of another account
 * **4725**: Account disable
 * **4726**: Account removed from systemved from system
 * **4728**: Attempt to add an account to a global security group
 * **4729**: Attempt to remove an account from a global security group
+* **4732**: User was added to a security group (like Administrators)
+* **4733**: User was removed from a security group (like Administrators)
 * **4738**: User account properties were changed
 * **4740**: User account was locked after repeated attempt of access
 * **4756**: Attempt to add an account to a universal security group
@@ -50,11 +69,19 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 
 ### Account Logon
 
-* **4624**: Successful logon
-* **4625**: Failed logon
+These can be found via `Event Viewer` under `Windows Logs` -> `Security`.
+The `Logon ID` is the session identifier.
+
+* **4624**: Successful logon/login
+* **4625**: Failed logon/login
 * **4634** and **4647**: Logoff
 * **4779**: Session disconnect
 
+### Logon Types
+
+* **10**: RDP
+* **3**: Network
+
 ### Scheduled Tasks
 
 * **4698**: Scheduled task creation
@@ -71,6 +98,8 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 
 ### Security
 
+These can be found via `Event Viewer` under `Windows Logs` -> `Security`
+
 * **1100**: Logging service disabled
 * **1102**: Log deletion
 * **1116**: Windows Defender Malware detection
@@ -87,6 +116,9 @@ Applications and Services Logs -> Windows Powershell and Apps and Services Logs
 * **600**: Opening Powershell
 * **4104**: Powershell command executed
 
+In addition check Powershell's history file on path
+`C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt`
+
 ## RDP
 
 Applications and Services Logs -> Microsoft -> Windows ->