From fd69c5c90b6897710e97221c1fccc8148865239a Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Tue, 7 Nov 2023 19:02:14 +0100 Subject: [PATCH] event ids --- Forensics/Windows Event Logs.md | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md index 1a9433e..138e267 100644 --- a/Forensics/Windows Event Logs.md +++ b/Forensics/Windows Event Logs.md @@ -3,7 +3,46 @@ ## Dump Logfile Windows Event Logfiles can be dumped via + ```sh evtx_dump $EVENT_LOG > event.log evtx_dump -o json $EVENT_LOG > event.log ``` + +## Event IDs + +### Process + +* **1**: Process Creation + +### Files + +* **11**: File opened + +### Account Management + +* **4720**: User account creation +* **4722**: User account enabled +* **4723**: Attempt to change an account password. The user attempts to change their password +* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account +* **4725**: Account disable +* **4726**: Account removal + +### Account Logon + +* **4624**: Successful logon +* **4625**: Failed logon +* **4634** and **4647**: Logoff +* **4779**: Session disconnect + +### Scheduled Tasks + +* **4698**: Scheduled task creation +* **4702**: Scheduled task updated +* **4699**: Scheduled task deletion + +### Security + +* **1100**: Logging service disabled +* **1102**: Log deletion +* **1116**: Malware detection