Event: Windows Forensics Logs

Referrer: https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html

Windows event logs analysis

Located at C:\Windows\System32\winevt\Logs

Interesting log sources

Log sources

Context

Security.evtx

Security-related events

System.evtx

Tracks system component events

Application.evtx

Logs application-specific events

Microsoft-Windows-Sysmon/Operational.evtx

Enhanced process, network, and file monitoring

Microsoft-Windows-PowerShell/Operational.evtx

Records PowerShell activity

Microsoft-Windows-Windows Defender/Operational.evtx

Logs Windows Defender events

Microsoft-Windows-WMI-Activity/Operational.evtx

Logs WMI events

Microsoft-Windows-Bits Client/Operational.evtx

Logs BITS events

Microsoft-Windows-DNS Client/Operational.evtx

Logs DNS events

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.evtx

Logs RDP session events

Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx

Logs RDP session events

Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx

Logs RDP session events

Microsoft-Windows-TaskScheduler/Operational.evtx

Logs Task Scheduler events

Microsoft-Windows-DNS-Server%4Operational.evtx

Active Directory Server Logs

Directory Service.evtx

Active Directory Server Logs

File Replication Service.evtx

Active Directory Server Logs

%SystemDrive%\inetpub\logs\LogFiles

IIS log

%SystemRoot%\System32\LogFiles\HTTPERR

IIS log

%ProgramFiles%\Microsoft\Exchange Server\V15\Logging

Exchange log

Panther*.log

Windows setup details

RPC Client Access*.log

Exchange Server, if applicable

Third party antivirus log

AV logs

Important Security Event IDs

IDs

Event log

Context

4624

Security

Successful Login

4625

Security

Failed Login

4634/4647

Security

User Initiated Logoff/An Account was Logged Off

4648

Security

A Logon was Attempted Using Explicit Credentials

4656

Security

The object is requested

4657

Security

A registry value was modified

4662

Security

An Operation was Performed on an Object

4663

Security

An Attempt was Made to Access an Object

4672

Security

Special Logon

4688

Security

Process Creation

4689

Security

Process Termination

4697

Security

Service Installed

4698/4702/4700

Security

Scheduled Task Created or Updated

4699

Security

Scheduled Task Deleted

4701

Security

Scheduled Task Enabled

4702

Security

Service Removed

4720

Security

A User Account was Created

4722

Security

A User Account was Enabled

4723

Security

An Attempt was Made to Change an Account's Password

4724

Security

An Attempt was Made to Reset an Account's Password

4725

Security

A User Account was Disabled

4726

Security

A User Account was Deleted

4728

Security

A Member was Added to a Security-Enabled Global Group

4729

Security

A Member was Removed from a Security-Enabled Global Group

4732

Security

A Security-Enabled Local Group was Created - A member was added to a security-enabled local group

4733

Security

A Security-Enabled Local Group was Changed

4734

Security

A Security-Enabled Local Group was Deleted

4741

Security

A Computer Account was Created

4742

Security

A Computer Account was Changed

4768

Security (DC)

Kerberos TGT request

4769

Security (DC)

Kerberos Service Ticket request

4771

Security

Locked Out Account

4776

Security

NTLM authentication

4778

Security

Session Reconnected

4779

Security

Session Disconnected by User

4794

Security

An Attempt was Made to Set the Directory Services Restore Mode Administrator Password

5136

Security

Directory Service Changes

5140

Security

A Network Share Object was Accessed

5141

Security

A Directory Service Object was Deleted

5145

Security

Network Share Object was Checked

5156

Security

The Windows Filtering Platform has permitted a connection

5376

Security

Credential Manager Credentials Submitted

5377

Security

Credential Manager Credentials Auto-Logon

1102

Security

Event Log Cleared

1100

Security

Event Log Service Shutdown

Logon type corresponding to Succesfull (4624) or Failed logins (4625)

Logon Type

Explanation

Logon via console

Network Logon. A user or computer logged on to this computer from the network

Batch Logon (Task scheduler and AT)

Windows Service logon

Credentials used to unlock screen

Network logon sending credentials (cleartext)

Different credentials used than logon user

Remote Interactive logon (RDP)

Cached credentials used to logon

Cached remote interactive (RDP)

Cached Unlock (Similar to logon type 7)

Other's log important Event IDs

IDs

Event log

Context

7045

System

Service installed

7034

System

The service terminated unexpectedly

7035

System

Service Control Manager

7036

System

Service State Change

7040

System

Service was changed from disabled to auto start.

7001

System

Service Start Failed

1001

System

BSOD

6005

System

Start-up time of the machine

6006

System

Shutdown time of the machine

104

System

Log cleared

2003

Microsoft-Windows-Windows Firewall with Advanced Security

Firewall was disabled

2004

Microsoft-Windows-Windows Firewall with Advanced Security

Rule has been added to the Window Firewall exception list

2005

Microsoft-Windows-Windows Firewall with Advanced Security

Rule has been modified

2006

Microsoft-Windows-Windows Firewall with Advanced Security

Deleted firewall rule

1116

Microsoft Windows Windows Defender/Operational

Defender Antivirus has detected malware

1117

Microsoft Windows Windows Defender/Operational

Action taken

1006

Microsoft Windows Windows Defender/Operational

Scan result

5001

Microsoft Windows Windows Defender/Operational

Disabling Real Time Protection

5007

Microsoft Windows Windows Defender/Operational

Excluded Files and Folders

4103

Microsoft Windows PowerShell/Operational

Module logging

4104

Microsoft Windows PowerShell/Operational

Script Block Logging - Executing a Remote Command

4105

Microsoft Windows PowerShell/Operational

Transcription Logging

4688

Microsoft Windows PowerShell/Operational

Process Creation (including PowerShell processes)

400

Windows PowerShell

Start of a PowerShell activity, whether local or remote.

403

Windows PowerShell

Completion of a PowerShell activity

800

Windows PowerShell

Pipeline execution

Microsoft-Windows-Bits Client/operational

BITS job was created

Microsoft-Windows-Bits Client/operational

BITS Job was completed

Microsoft-Windows-Bits Client/operational

BITS Job was started/resumed

Microsoft-Windows-Bits Client/operational

BITS Job was stopped. (Status code defines whether successful or not)

16403

Microsoft Windows Bits Client

BITS Job parameters were defined

1000

Application

Application Error/crash

1001

Application

Application Error reporting

1002

Application

Application Hang

1024

Application

Software Installation

1040

Application

User Initiated Software Installation

1033

Application

Software installed

1034

Application

Windows Installer removed the product

3006

Microsoft-Windows-DNS Client/operational

DNS query was called

3010

Microsoft-Windows-DNS Client/operational

DNS query sent to DNS server

3011

Microsoft-Windows-DNS Client/operational

Received response DNS server

11707

Application

Installation operation completed successfully

11708

Application

Installation failed

11724

Application

Installation completed successfully