killchain-compendium/Forensics/Windows Event Logs.md

# Windows Event Log

## Dump Logfile

Windows Event Logfiles can be dumped via

```sh
evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log
```

## Query Windows Events

One method is to use the GUI Tool `Event Viewer`, another method is to use Powershell.

Use `Win-Event` to filter categories like Security or System (same categories
like in `Event Viewer`) and Event IDs throught the following line.

```sh
Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
```

## Event IDs

### Process

* **1**: Process Creation

### Files

* **11**: File opened

### Account Management

* **4719**: Attempt to change a policy
* **4720**: User account creation
* **4722**: User account enabled
* **4723**: Attempt to change an account password. The user attempts to change their password
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
* **4725**: Account disable
* **4726**: Account removed from systemved from system
* **4728**: Attempt to add an account to a global security group
* **4729**: Attempt to remove an account from a global security group
* **4738**: User account properties were changed
* **4740**: User account was locked after repeated attempt of access
* **4756**: Attempt to add an account to a universal security group
* **4757**: Attempt to remove an account from a universal security group
* **4768**: Kerberos TGT request
* **4771**: Kerberos pre-auth failure

### Account Logon

* **4624**: Successful logon
* **4625**: Failed logon
* **4634** and **4647**: Logoff
* **4779**: Session disconnect

### Scheduled Tasks

* **4698**: Scheduled task creation
* **4702**: Scheduled task updated
* **4699**: Scheduled task deletion

### System

* **7045**: Service installation

### Security

* **1100**: Logging service disabled
* **1102**: Log deletion
* **1116**: Malware detection
* **4697**: Service installation (subsection of **7045**)