whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

event ids

This commit is contained in:
gurkenhabicht 2023-11-07 19:02:14 +01:00
parent 90d5915e5e
commit fd69c5c90b
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Forensics/Windows Event Logs.md
View File

@ -3,7 +3,46 @@
## Dump Logfile ## Dump Logfile
Windows Event Logfiles can be dumped via Windows Event Logfiles can be dumped via
```sh ```sh
evtx_dump $EVENT_LOG > event.log evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log evtx_dump -o json $EVENT_LOG > event.log
``` ```
## Event IDs
### Process
* **1**: Process Creation
### Files
* **11**: File opened
### Account Management
* **4720**: User account creation
* **4722**: User account enabled
* **4723**: Attempt to change an account password. The user attempts to change their password
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
* **4725**: Account disable
* **4726**: Account removal
### Account Logon
* **4624**: Successful logon
* **4625**: Failed logon
* **4634** and **4647**: Logoff
* **4779**: Session disconnect
### Scheduled Tasks
* **4698**: Scheduled task creation
* **4702**: Scheduled task updated
* **4699**: Scheduled task deletion
### Security
* **1100**: Logging service disabled
* **1102**: Log deletion
* **1116**: Malware detection