From d69f8dc1bbb8bcdc4f6c57669e08a2e0f7e8e83a Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Thu, 9 Apr 2026 01:33:03 +0200
Subject: [PATCH] events

---
 Forensics/Windows Event Logs.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md
index 95b67d1..6259777 100644
--- a/Forensics/Windows Event Logs.md	
+++ b/Forensics/Windows Event Logs.md	
@@ -32,7 +32,7 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 
 ### Files
 
-* **11**: File opened (Applications & Services -> Microsoft -> Windows ->
+* **11**: File opened/created (Applications & Services -> Microsoft -> Windows ->
   Sysmon -> Operational)
 * **4656**: File changed (Windows Logs -> Security)
 * **13**: Registry value set (Applications & Services -> Microsoft -> Windows ->
@@ -85,7 +85,9 @@ The `Logon ID` is the session identifier.
 ### Active Directory Objects
 
 * **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects)
+* **5137**: Directory service object was created
 * **5140**: Object Access
+* **5145**: Shared Access
 
 ### Logon Types