# Windows Event Log ## Dump Logfile Windows event logs can be found under `C:\Windows\System32\winevt\Logs`. Windows Event Logfiles can also be dumped via ```sh evtx_dump $EVENT_LOG > event.log evtx_dump -o json $EVENT_LOG > event.log ``` ## Query Windows Events One method is to use the GUI Tool `Event Viewer`, another method is to use Powershell. Use `Win-Event` to filter categories like Security or System (same categories like in `Event Viewer`) and Event IDs throught the following line. ```sh Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl ``` ## Event IDs ### Process * **1**: Process Creation (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational) * **10**: ProcessAccess, Sysmon event where one process opens a handle to another process * **4688**: Process Creation (Windows Logs -> Security) ### Files * **11**: File opened (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational) * **4656**: File changed (Windows Logs -> Security) * **13**: Registry value set (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational) * **4657**: Registry value set (Windows Logs -> Security) ### Network * **3** Network connection (Sysmon, path shown above) * **22** DNS query (Sysmon, path shown above) ### Account Management The `subject` is the account doing an action on an `object`. * **4719**: Attempt to change a policy * **4720**: User account creation * **4722**: User account enabled * **4723**: Attempt to change an account password. The user attempts to change their password * **4724**: Attempt to reset the account password. The user attempts to reset the password of another account * **4725**: Account disabled * **4726**: Account removed from systemved from system * **4728**: Attempt to add an account to a global security group (logged domain wide) * **4729**: Attempt to remove an account from a global security group * **4732**: User was added to a security group (like Administrators, logged on local or DC) * **4733**: User was removed from a security group (like Administrators) * **4738**: User account properties were changed * **4740**: User account was locked after repeated attempt of access * **4756**: Attempt to add an account to a universal security group (logged on entire ad forest) * **4757**: Attempt to remove an account from a universal security group * **4768**: Kerberos TGT request * **4769**: Kerberos TGS request * **4771**: Kerberos pre-auth failure * **4776**: Validate NTLM credentials at DC. This happens when the resource is accessed via IP address, for legacy applications without Kerberos support or auth between untrusted DC domains ### Account Logon These can be found via `Event Viewer` under `Windows Logs` -> `Security`. The `Logon ID` is the session identifier. * **4624**: Successful logon/login, Session created on target resource * **4625**: Failed logon/login * **4634** and **4647**: Logoff * **4779**: Session disconnect ### Active Directory Objects * **5136**: Attribute-level modification on AD object (e.g. Group Policy Objects) * **5140**: Object Access ### Logon Types * **2**: Interactive * **3**: Network * **4**: Batch * **5**: Service * **7**: Unlock * **10**: RDP ### Scheduled Tasks * **4698**: Scheduled task creation * **4702**: Scheduled task updated * **4699**: Scheduled task deletion * **106** Task registered * **100** Task started * **129** Created Task Process ### System * **7045**: Service installation ### Security These can be found via `Event Viewer` under `Windows Logs` -> `Security` * **1100**: Logging service disabled * **1102**: Log deletion * **1116**: Windows Defender Malware detection * **1117**: Windows Defender Malware quarantined * **4697**: Service installation (subsection of **7045**) * **5001**: Windows Defender disabled * **5007**: Windows Defender configuration changed ### Powershell Applications and Services Logs -> Windows Powershell and Apps and Services Logs -> Microsoft -> Windows -> Powershell -> Operational * **600**: Opening Powershell * **4104**: Powershell command executed In addition check Powershell's history file on path `C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt` ## RDP Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational * **21**: RDP Connect * **24**: RDP Disconnect * **25**: RDP Reconnect