whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/Windows Event Logs.md

3.7 KiB
Raw Blame History

Windows Event Log

Dump Logfile

Windows event logs can be found under C:\Windows\System32\winevt\Logs. Windows Event Logfiles can also be dumped via

evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log

Query Windows Events

One method is to use the GUI Tool Event Viewer, another method is to use Powershell.

Use Win-Event to filter categories like Security or System (same categories like in Event Viewer) and Event IDs throught the following line.

Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl

Event IDs

Process

  • 1: Process Creation (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational)
  • 4688: Process Creation (Windows Logs -> Security)

Files

  • 11: File opened (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational)
  • 4656: File changed (Windows Logs -> Security)
  • 13: Registry value set (Applications & Services -> Microsoft -> Windows -> Sysmon -> Operational)
  • 4657: Registry value set (Windows Logs -> Security)

Network

  • 3 Network connection (Sysmon, path shown above)
  • 22 DNS query (Sysmon, path shown above)

Account Management

The subject is the account doing an action on an object.

  • 4719: Attempt to change a policy
  • 4720: User account creation
  • 4722: User account enabled
  • 4723: Attempt to change an account password. The user attempts to change their password
  • 4724: Attempt to reset the account password. The user attempts to reset the password of another account
  • 4725: Account disable
  • 4726: Account removed from systemved from system
  • 4728: Attempt to add an account to a global security group
  • 4729: Attempt to remove an account from a global security group
  • 4732: User was added to a security group (like Administrators)
  • 4733: User was removed from a security group (like Administrators)
  • 4738: User account properties were changed
  • 4740: User account was locked after repeated attempt of access
  • 4756: Attempt to add an account to a universal security group
  • 4757: Attempt to remove an account from a universal security group
  • 4768: Kerberos TGT request
  • 4771: Kerberos pre-auth failure

Account Logon

These can be found via Event Viewer under Windows Logs -> Security. The Logon ID is the session identifier.

  • 4624: Successful logon/login
  • 4625: Failed logon/login
  • 4634 and 4647: Logoff
  • 4779: Session disconnect

Logon Types

  • 10: RDP
  • 3: Network

Scheduled Tasks

  • 4698: Scheduled task creation

  • 4702: Scheduled task updated

  • 4699: Scheduled task deletion

  • 106 Task registered

  • 100 Task started

  • 129 Created Task Process

System

  • 7045: Service installation

Security

These can be found via Event Viewer under Windows Logs -> Security

  • 1100: Logging service disabled
  • 1102: Log deletion
  • 1116: Windows Defender Malware detection
  • 1117: Windows Defender Malware quarantined
  • 4697: Service installation (subsection of 7045)
  • 5001: Windows Defender disabled
  • 5007: Windows Defender configuration changed

Powershell

Applications and Services Logs -> Windows Powershell and Apps and Services Logs -> Microsoft -> Windows -> Powershell -> Operational

  • 600: Opening Powershell
  • 4104: Powershell command executed

In addition check Powershell's history file on path C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

RDP

Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational

  • 21: RDP Connect
  • 24: RDP Disconnect
  • 25: RDP Reconnect