diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md index 06776e2..f688420 100644 --- a/Forensics/Windows Event Logs.md +++ b/Forensics/Windows Event Logs.md @@ -2,7 +2,8 @@ ## Dump Logfile -Windows Event Logfiles can be dumped via +Windows event logs can be found under `C:\Windows\System32\winevt\Logs`. +Windows Event Logfiles can also be dumped via ```sh evtx_dump $EVENT_LOG > event.log @@ -24,23 +25,41 @@ Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl ### Process -* **1**: Process Creation +* **1**: Process Creation (Applications & Services -> Microsoft -> Windows -> + Sysmon -> Operational) +* **4688**: Process Creation (Windows Logs -> Security) ### Files -* **11**: File opened +* **11**: File opened (Applications & Services -> Microsoft -> Windows -> + Sysmon -> Operational) +* **4656**: File changed (Windows Logs -> Security) +* **13**: Registry value set (Applications & Services -> Microsoft -> Windows -> + Sysmon -> Operational) +* **4657**: Registry value set (Windows Logs -> Security) + +### Network + +* **3** Network connection (Sysmon, path shown above) +* **22** DNS query (Sysmon, path shown above) ### Account Management +The `subject` is the account doing an action on an `object`. + * **4719**: Attempt to change a policy * **4720**: User account creation * **4722**: User account enabled -* **4723**: Attempt to change an account password. The user attempts to change their password -* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account +* **4723**: Attempt to change an account password. The user attempts to change + their password +* **4724**: Attempt to reset the account password. The user attempts to reset + the password of another account * **4725**: Account disable * **4726**: Account removed from systemved from system * **4728**: Attempt to add an account to a global security group * **4729**: Attempt to remove an account from a global security group +* **4732**: User was added to a security group (like Administrators) +* **4733**: User was removed from a security group (like Administrators) * **4738**: User account properties were changed * **4740**: User account was locked after repeated attempt of access * **4756**: Attempt to add an account to a universal security group @@ -50,11 +69,19 @@ Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl ### Account Logon -* **4624**: Successful logon -* **4625**: Failed logon +These can be found via `Event Viewer` under `Windows Logs` -> `Security`. +The `Logon ID` is the session identifier. + +* **4624**: Successful logon/login +* **4625**: Failed logon/login * **4634** and **4647**: Logoff * **4779**: Session disconnect +### Logon Types + +* **10**: RDP +* **3**: Network + ### Scheduled Tasks * **4698**: Scheduled task creation @@ -71,6 +98,8 @@ Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl ### Security +These can be found via `Event Viewer` under `Windows Logs` -> `Security` + * **1100**: Logging service disabled * **1102**: Log deletion * **1116**: Windows Defender Malware detection @@ -87,6 +116,9 @@ Applications and Services Logs -> Windows Powershell and Apps and Services Logs * **600**: Opening Powershell * **4104**: Powershell command executed +In addition check Powershell's history file on path +`C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt` + ## RDP Applications and Services Logs -> Microsoft -> Windows ->