events

2026-04-09 01:33:03 +02:00 · 2026-04-09 01:33:03 +02:00 · d69f8dc1bb
parent 2a561ac73f
commit d69f8dc1bb
1 changed files with 3 additions and 1 deletions
--- a/Forensics/Windows
+++ b/Forensics/Windows
@ -32,7 +32,7 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl

 ### Files

-* **11**: File opened (Applications & Services -> Microsoft -> Windows ->
+* **11**: File opened/created (Applications & Services -> Microsoft -> Windows ->
  Sysmon -> Operational)
 * **4656**: File changed (Windows Logs -> Security)
 * **13**: Registry value set (Applications & Services -> Microsoft -> Windows ->
@ -85,7 +85,9 @@ The `Logon ID` is the session identifier.
 ### Active Directory Objects

 * **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects)
+* **5137**: Directory service object was created
 * **5140**: Object Access
+* **5145**: Shared Access

 ### Logon Types