1.3 KiB
1.3 KiB
Windows Event Log
Dump Logfile
Windows Event Logfiles can be dumped via
evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log
Event IDs
Process
- 1: Process Creation
Files
- 11: File opened
Account Management
- 4719: Attempt to change a policy
- 4720: User account creation
- 4722: User account enabled
- 4723: Attempt to change an account password. The user attempts to change their password
- 4724: Attempt to reset the account password. The user attempts to reset the password of another account
- 4725: Account disable
- 4726: Account removal
- 4728: Attempt to add an account to a global security group
- 4729: Attempt to remove an account from a global security group
- 4756: Attempt to add an account to a universal security group
- 4757: Attempt to remove an account from a universal security group
Account Logon
- 4624: Successful logon
- 4625: Failed logon
- 4634 and 4647: Logoff
- 4779: Session disconnect
Scheduled Tasks
- 4698: Scheduled task creation
- 4702: Scheduled task updated
- 4699: Scheduled task deletion
Security
- 1100: Logging service disabled
- 1102: Log deletion
- 1116: Malware detection