event ids
This commit is contained in:
parent
90d5915e5e
commit
fd69c5c90b
|
|
@ -3,7 +3,46 @@
|
|||
## Dump Logfile
|
||||
|
||||
Windows Event Logfiles can be dumped via
|
||||
|
||||
```sh
|
||||
evtx_dump $EVENT_LOG > event.log
|
||||
evtx_dump -o json $EVENT_LOG > event.log
|
||||
```
|
||||
|
||||
## Event IDs
|
||||
|
||||
### Process
|
||||
|
||||
* **1**: Process Creation
|
||||
|
||||
### Files
|
||||
|
||||
* **11**: File opened
|
||||
|
||||
### Account Management
|
||||
|
||||
* **4720**: User account creation
|
||||
* **4722**: User account enabled
|
||||
* **4723**: Attempt to change an account password. The user attempts to change their password
|
||||
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
|
||||
* **4725**: Account disable
|
||||
* **4726**: Account removal
|
||||
|
||||
### Account Logon
|
||||
|
||||
* **4624**: Successful logon
|
||||
* **4625**: Failed logon
|
||||
* **4634** and **4647**: Logoff
|
||||
* **4779**: Session disconnect
|
||||
|
||||
### Scheduled Tasks
|
||||
|
||||
* **4698**: Scheduled task creation
|
||||
* **4702**: Scheduled task updated
|
||||
* **4699**: Scheduled task deletion
|
||||
|
||||
### Security
|
||||
|
||||
* **1100**: Logging service disabled
|
||||
* **1102**: Log deletion
|
||||
* **1116**: Malware detection
|
||||
|
|
|
|||
Loading…
Reference in New Issue