whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added winevents

This commit is contained in:
gurkenhabicht 2025-05-02 00:38:15 +02:00
parent 75a34e4b59
commit d3b457a796
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Forensics/Windows Event Logs.md
View File

@ -61,6 +61,10 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
* **4702**: Scheduled task updated * **4702**: Scheduled task updated
* **4699**: Scheduled task deletion * **4699**: Scheduled task deletion
* **106** Task registered
* **100** Task started
* **129** Created Task Process
### System ### System
* **7045**: Service installation * **7045**: Service installation
@ -69,5 +73,25 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
* **1100**: Logging service disabled * **1100**: Logging service disabled
* **1102**: Log deletion * **1102**: Log deletion
* **1116**: Malware detection * **1116**: Windows Defender Malware detection
* **1117**: Windows Defender Malware quarantined
* **4697**: Service installation (subsection of **7045**) * **4697**: Service installation (subsection of **7045**)
* **5001**: Windows Defender disabled
* **5007**: Windows Defender configuration changed
### Powershell
Applications and Services Logs -> Windows Powershell and Apps and Services Logs
-> Microsoft -> Windows -> Powershell -> Operational
* **600**: Opening Powershell
* **4104**: Powershell command executed
## RDP
Applications and Services Logs -> Microsoft -> Windows ->
TerminalServices-LocalSessionManager -> Operational
* **21**: RDP Connect
* **24**: RDP Disconnect
* **25**: RDP Reconnect