4.4 KiB

Raw Blame History

Windows Event Log

Dump Logfile

Windows event logs can be found under C:\Windows\System32\winevt\Logs. Windows Event Logfiles can also be dumped via

evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log

Query Windows Events

One method is to use the GUI Tool Event Viewer, another method is to use Powershell.

Use Win-Event to filter categories like Security or System (same categories like in Event Viewer) and Event IDs throught the following line.

Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl

Event IDs

Process

1: Process Creation (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational)
10: ProcessAccess, Sysmon event where one process opens a handle to another process
4688: Process Creation (Windows Logs -> Security)

Files

11: File opened (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational)
4656: File changed (Windows Logs -> Security)
13: Registry value set (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational)
4657: Registry value set (Windows Logs -> Security)

Network

3 Network connection (Sysmon, path shown above)
22 DNS query (Sysmon, path shown above)

Account Management

The subject is the account doing an action on an object.

4719: Attempt to change a policy
4720: User account creation
4722: User account enabled
4723: Attempt to change an account password. The user attempts to change their password
4724: Attempt to reset the account password. The user attempts to reset the password of another account
4725: Account disabled
4726: Account removed from systemved from system
4728: Attempt to add an account to a global security group (logged domain wide)
4729: Attempt to remove an account from a global security group
4732: User was added to a security group (like Administrators, logged on local or DC)
4733: User was removed from a security group (like Administrators)
4738: User account properties were changed
4740: User account was locked after repeated attempt of access
4756: Attempt to add an account to a universal security group (logged on entire ad forest)
4757: Attempt to remove an account from a universal security group
4768: Kerberos TGT request
4769: Kerberos TGS request
4771: Kerberos pre-auth failure
4776: Validate NTLM credentials at DC. This happens when the resource is accessed via IP address, for legacy applications without Kerberos support or auth between untrusted DC domains

Account Logon

These can be found via Event Viewer under Windows Logs -> Security. The Logon ID is the session identifier.

4624: Successful logon/login, Session created on target resource
4625: Failed logon/login
4634 and 4647: Logoff
4779: Session disconnect

Active Directory Objects

5136: Attribute-level modification on AD object (e.g. Group Policy Objects)
5140: Object Access

Logon Types

2: Interactive
3: Network
4: Batch
5: Service
7: Unlock
10: RDP

Scheduled Tasks

4698: Scheduled task creation
4702: Scheduled task updated
4699: Scheduled task deletion
106 Task registered
100 Task started
129 Created Task Process

System

7045: Service installation

Security

These can be found via Event Viewer under Windows Logs -> Security

1100: Logging service disabled
1102: Log deletion
1116: Windows Defender Malware detection
1117: Windows Defender Malware quarantined
4697: Service installation (subsection of 7045)
5001: Windows Defender disabled
5007: Windows Defender configuration changed

Powershell

Applications and Services Logs -> Windows Powershell and Apps and Services Logs -> Microsoft -> Windows -> Powershell -> Operational

600: Opening Powershell
4104: Powershell command executed

In addition check Powershell's history file on path C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

RDP

Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational

21: RDP Connect
24: RDP Disconnect
25: RDP Reconnect

4.4 KiB Raw Blame History