98 lines
2.5 KiB
Markdown
98 lines
2.5 KiB
Markdown
# Windows Event Log
|
|
|
|
## Dump Logfile
|
|
|
|
Windows Event Logfiles can be dumped via
|
|
|
|
```sh
|
|
evtx_dump $EVENT_LOG > event.log
|
|
evtx_dump -o json $EVENT_LOG > event.log
|
|
```
|
|
|
|
## Query Windows Events
|
|
|
|
One method is to use the GUI Tool `Event Viewer`, another method is to use Powershell.
|
|
|
|
Use `Win-Event` to filter categories like Security or System (same categories
|
|
like in `Event Viewer`) and Event IDs throught the following line.
|
|
|
|
```sh
|
|
Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
|
|
```
|
|
|
|
## Event IDs
|
|
|
|
### Process
|
|
|
|
* **1**: Process Creation
|
|
|
|
### Files
|
|
|
|
* **11**: File opened
|
|
|
|
### Account Management
|
|
|
|
* **4719**: Attempt to change a policy
|
|
* **4720**: User account creation
|
|
* **4722**: User account enabled
|
|
* **4723**: Attempt to change an account password. The user attempts to change their password
|
|
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
|
|
* **4725**: Account disable
|
|
* **4726**: Account removed from systemved from system
|
|
* **4728**: Attempt to add an account to a global security group
|
|
* **4729**: Attempt to remove an account from a global security group
|
|
* **4738**: User account properties were changed
|
|
* **4740**: User account was locked after repeated attempt of access
|
|
* **4756**: Attempt to add an account to a universal security group
|
|
* **4757**: Attempt to remove an account from a universal security group
|
|
* **4768**: Kerberos TGT request
|
|
* **4771**: Kerberos pre-auth failure
|
|
|
|
### Account Logon
|
|
|
|
* **4624**: Successful logon
|
|
* **4625**: Failed logon
|
|
* **4634** and **4647**: Logoff
|
|
* **4779**: Session disconnect
|
|
|
|
### Scheduled Tasks
|
|
|
|
* **4698**: Scheduled task creation
|
|
* **4702**: Scheduled task updated
|
|
* **4699**: Scheduled task deletion
|
|
|
|
* **106** Task registered
|
|
* **100** Task started
|
|
* **129** Created Task Process
|
|
|
|
### System
|
|
|
|
* **7045**: Service installation
|
|
|
|
### Security
|
|
|
|
* **1100**: Logging service disabled
|
|
* **1102**: Log deletion
|
|
* **1116**: Windows Defender Malware detection
|
|
* **1117**: Windows Defender Malware quarantined
|
|
* **4697**: Service installation (subsection of **7045**)
|
|
* **5001**: Windows Defender disabled
|
|
* **5007**: Windows Defender configuration changed
|
|
|
|
### Powershell
|
|
|
|
Applications and Services Logs -> Windows Powershell and Apps and Services Logs
|
|
-> Microsoft -> Windows -> Powershell -> Operational
|
|
|
|
* **600**: Opening Powershell
|
|
* **4104**: Powershell command executed
|
|
|
|
## RDP
|
|
|
|
Applications and Services Logs -> Microsoft -> Windows ->
|
|
TerminalServices-LocalSessionManager -> Operational
|
|
|
|
* **21**: RDP Connect
|
|
* **24**: RDP Disconnect
|
|
* **25**: RDP Reconnect
|