1.9 KiB
1.9 KiB
Windows Event Log
Dump Logfile
Windows Event Logfiles can be dumped via
evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log
Query Windows Events
One method is to use the GUI Tool Event Viewer, another method is to use Powershell.
Use Win-Event to filter categories like Security or System (same categories
like in Event Viewer) and Event IDs throught the following line.
Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
Event IDs
Process
- 1: Process Creation
Files
- 11: File opened
Account Management
- 4719: Attempt to change a policy
- 4720: User account creation
- 4722: User account enabled
- 4723: Attempt to change an account password. The user attempts to change their password
- 4724: Attempt to reset the account password. The user attempts to reset the password of another account
- 4725: Account disable
- 4726: Account removed from systemved from system
- 4728: Attempt to add an account to a global security group
- 4729: Attempt to remove an account from a global security group
- 4738: User account properties were changed
- 4740: User account was locked after repeated attempt of access
- 4756: Attempt to add an account to a universal security group
- 4757: Attempt to remove an account from a universal security group
- 4768: Kerberos TGT request
- 4771: Kerberos pre-auth failure
Account Logon
- 4624: Successful logon
- 4625: Failed logon
- 4634 and 4647: Logoff
- 4779: Session disconnect
Scheduled Tasks
- 4698: Scheduled task creation
- 4702: Scheduled task updated
- 4699: Scheduled task deletion
System
- 7045: Service installation
Security
- 1100: Logging service disabled
- 1102: Log deletion
- 1116: Malware detection
- 4697: Service installation (subsection of 7045)