whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

events

This commit is contained in:
gurkenhabicht 2026-04-09 01:33:03 +02:00
parent 2a561ac73f
commit d69f8dc1bb
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Forensics/Windows Event Logs.md
View File

@ -32,7 +32,7 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
### Files ### Files
* **11**: File opened (Applications & Services -> Microsoft -> Windows -> * **11**: File opened/created (Applications & Services -> Microsoft -> Windows ->
Sysmon -> Operational) Sysmon -> Operational)
* **4656**: File changed (Windows Logs -> Security) * **4656**: File changed (Windows Logs -> Security)
* **13**: Registry value set (Applications & Services -> Microsoft -> Windows -> * **13**: Registry value set (Applications & Services -> Microsoft -> Windows ->
@ -85,7 +85,9 @@ The `Logon ID` is the session identifier.
### Active Directory Objects ### Active Directory Objects
* **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects) * **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects)
* **5137**: Directory service object was created
* **5140**: Object Access * **5140**: Object Access
* **5145**: Shared Access
### Logon Types ### Logon Types