# Event: Windows Forensics Logs
### Windows event logs analysis
Located at `C:\Windows\System32\winevt\Logs`
#### Interesting log sources
| Log sources | Context |
| --------------------------------------------------------------------------- | ---------------------------------------------- |
| Security.evtx | Security-related events |
| System.evtx | Tracks system component events |
| Application.evtx | Logs application-specific events |
| Microsoft-Windows-Sysmon/Operational.evtx | Enhanced process, network, and file monitoring |
| Microsoft-Windows-PowerShell/Operational.evtx | Records PowerShell activity |
| Microsoft-Windows-Windows Defender/Operational.evtx | Logs Windows Defender events |
| Microsoft-Windows-WMI-Activity/Operational.evtx | Logs WMI events |
| Microsoft-Windows-Bits Client/Operational.evtx | Logs BITS events |
| Microsoft-Windows-DNS Client/Operational.evtx | Logs DNS events |
| Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.evtx | Logs RDP session events |
| Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx | Logs RDP session events |
| Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx | Logs RDP session events |
| Microsoft-Windows-TaskScheduler/Operational.evtx | Logs Task Scheduler events |
| Microsoft-Windows-DNS-Server%4Operational.evtx | Active Directory Server Logs |
| Directory Service.evtx | Active Directory Server Logs |
| File Replication Service.evtx | Active Directory Server Logs |
| %SystemDrive%\inetpub\logs\LogFiles | IIS log |
| %SystemRoot%\System32\LogFiles\HTTPERR | IIS log |
| %ProgramFiles%\Microsoft\Exchange Server\V15\Logging | Exchange log |
| Panther\*.log | Windows setup details |
| RPC Client Access\*.log | Exchange Server, if applicable |
| Third party antivirus log | AV logs |
#### Important Security Event IDs
| IDs | Event log | Context |
| -------------- | ------------- | ------------------------------------------------------------------------------------------------- |
| 4624 | Security | Successful Login |
| 4625 | Security | Failed Login |
| 4634/4647 | Security | User Initiated Logoff/An Account was Logged Off |
| 4648 | Security | A Logon was Attempted Using Explicit Credentials |
| 4656 | Security | The object is requested |
| 4657 | Security | A registry value was modified |
| 4662 | Security | An Operation was Performed on an Object |
| 4663 | Security | An Attempt was Made to Access an Object |
| 4672 | Security | Special Logon |
| 4688 | Security | Process Creation |
| 4689 | Security | Process Termination |
| 4697 | Security | Service Installed |
| 4698/4702/4700 | Security | Scheduled Task Created or Updated |
| 4699 | Security | Scheduled Task Deleted |
| 4701 | Security | Scheduled Task Enabled |
| 4702 | Security | Service Removed |
| 4720 | Security | A User Account was Created |
| 4722 | Security | A User Account was Enabled |
| 4723 | Security | An Attempt was Made to Change an Account's Password |
| 4724 | Security | An Attempt was Made to Reset an Account's Password |
| 4725 | Security | A User Account was Disabled |
| 4726 | Security | A User Account was Deleted |
| 4728 | Security | A Member was Added to a Security-Enabled Global Group |
| 4729 | Security | A Member was Removed from a Security-Enabled Global Group |
| 4732 | Security | A Security-Enabled Local Group was Created - A member was added to a security-enabled local group |
| 4733 | Security | A Security-Enabled Local Group was Changed |
| 4734 | Security | A Security-Enabled Local Group was Deleted |
| 4741 | Security | A Computer Account was Created |
| 4742 | Security | A Computer Account was Changed |
| 4768 | Security (DC) | Kerberos TGT request |
| 4769 | Security (DC) | Kerberos Service Ticket request |
| 4771 | Security | Locked Out Account |
| 4776 | Security | NTLM authentication |
| 4778 | Security | Session Reconnected |
| 4779 | Security | Session Disconnected by User |
| 4794 | Security | An Attempt was Made to Set the Directory Services Restore Mode Administrator Password |
| 5136 | Security | Directory Service Changes |
| 5140 | Security | A Network Share Object was Accessed |
| 5141 | Security | A Directory Service Object was Deleted |
| 5145 | Security | Network Share Object was Checked |
| 5156 | Security | The Windows Filtering Platform has permitted a connection |
| 5376 | Security | Credential Manager Credentials Submitted |
| 5377 | Security | Credential Manager Credentials Auto-Logon |
| 1102 | Security | Event Log Cleared |
| 1100 | Security | Event Log Service Shutdown |
#### Logon type corresponding to Succesfull (4624) or Failed logins (4625)
| Logon Type | Explanation |
| ---------- | ----------------------------------------------------------------------------- |
| 2 | Logon via console |
| 3 | Network Logon. A user or computer logged on to this computer from the network |
| 4 | Batch Logon (Task scheduler and AT) |
| 5 | Windows Service logon |
| 7 | Credentials used to unlock screen |
| 8 | Network logon sending credentials (cleartext) |
| 9 | Different credentials used than logon user |
| 10 | Remote Interactive logon (RDP) |
| 11 | Cached credentials used to logon |
| 12 | Cached remote interactive (RDP) |
| 13 | Cached Unlock (Similar to logon type 7) |
#### Other's log important Event IDs
| IDs | Event log | Context |
| ----- | ---------------------------------------------------------------------- | --------------------------------------------------------------------- |
| 7045 | System | Service installed |
| 7034 | System | The service terminated unexpectedly |
| 7035 | System | Service Control Manager |
| 7036 | System | Service State Change |
| 7040 | System | Service was changed from disabled to auto start. |
| 7001 | System | Service Start Failed |
| 1001 | System | BSOD |
| 6005 | System | Start-up time of the machine |
| 6006 | System | Shutdown time of the machine |
| 104 | System | Log cleared |
| 2003 | Microsoft-Windows-Windows Firewall with Advanced Security | Firewall was disabled |
| 2004 | Microsoft-Windows-Windows Firewall with Advanced Security | Rule has been added to the Window Firewall exception list |
| 2005 | Microsoft-Windows-Windows Firewall with Advanced Security | Rule has been modified |
| 2006 | Microsoft-Windows-Windows Firewall with Advanced Security | Deleted firewall rule |
| 1116 | Microsoft Windows Windows Defender/Operational | Defender Antivirus has detected malware |
| 1117 | Microsoft Windows Windows Defender/Operational | Action taken |
| 1006 | Microsoft Windows Windows Defender/Operational | Scan result |
| 5001 | Microsoft Windows Windows Defender/Operational | Disabling Real Time Protection |
| 5007 | Microsoft Windows Windows Defender/Operational | Excluded Files and Folders |
| 4103 | Microsoft Windows PowerShell/Operational | Module logging |
| 4104 | Microsoft Windows PowerShell/Operational | Script Block Logging - Executing a Remote Command |
| 4105 | Microsoft Windows PowerShell/Operational | Transcription Logging |
| 4688 | Microsoft Windows PowerShell/Operational | Process Creation (including PowerShell processes) |
| 400 | Windows PowerShell | Start of a PowerShell activity, whether local or remote. |
| 403 | Windows PowerShell | Completion of a PowerShell activity |
| 800 | Windows PowerShell | Pipeline execution |
| 3 | Microsoft-Windows-Bits Client/operational | BITS job was created |
| 4 | Microsoft-Windows-Bits Client/operational | BITS Job was completed |
| 59 | Microsoft-Windows-Bits Client/operational | BITS Job was started/resumed |
| 60 | Microsoft-Windows-Bits Client/operational | BITS Job was stopped. (Status code defines whether successful or not) |
| 16403 | Microsoft Windows Bits Client | BITS Job parameters were defined |
| 1000 | Application | Application Error/crash |
| 1001 | Application | Application Error reporting |
| 1002 | Application | Application Hang |
| 1024 | Application | Software Installation |
| 1040 | Application | User Initiated Software Installation |
| 1033 | Application | Software installed |
| 1034 | Application | Windows Installer removed the product |
| 3006 | Microsoft-Windows-DNS Client/operational | DNS query was called |
| 3010 | Microsoft-Windows-DNS Client/operational | DNS query sent to DNS server |
| 3011 | Microsoft-Windows-DNS Client/operational | Received response DNS server |
| 11707 | Application | Installation operation completed successfully |
| 11708 | Application | Installation failed |
| 11724 | Application | Installation completed successfully |
| 1 | Microsoft-Windows-Sysmon/Operational | Process Creation |
| 2 | Microsoft-Windows-Sysmon/Operational | A process changed a file creation time |
| 3 | Microsoft-Windows-Sysmon/Operational | Network connection detected |
| 6 | Microsoft-Windows-Sysmon/Operational | Driver Loaded |
| 7 | Microsoft-Windows-Sysmon/Operational | Image Loaded |
| 8 | Microsoft-Windows-Sysmon/Operational | CreateRemoteThread |
| 10 | Microsoft-Windows-Sysmon/Operational | ProcessAccess |
| 11 | Microsoft-Windows-Sysmon/Operational | FileCreate |
| 12 | Microsoft-Windows-Sysmon/Operational | RegistryEvent (Object create and delete) |
| 1149 | Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | RDP User authentication succeeded |
| 21 | Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | RDP Session logon succeeded |
| 24 | Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | RDP Session has been disconnected |
| 25 | Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | RDP Session reconnection succeeded |
| 131 | RDPCoreTS | RDP connection is first established |
| 106 | Task Scheduler | New scheduled task is created |
| 140 | Task Scheduler | Scheduled task is updated |
| 141 | Task Scheduler | User deleted Task Scheduler task |
| 200 | Task Scheduler | Task executed |
| 201 | Task Scheduler | Task scheduler successfully completed the task |
| 5857 | WMI-Activity Operational | WMI activity is detected |
| 5858 | WMI-Activity Operational | WMI error |
| 5859 | WMI-Activity Operational | Subscription-based activity |
| 5860 | WMI-Activity Operational | Detailed subscription-based activity |
| 5861 | WMI-Activity Operational | Permanent subscription activity |
Event ID KB: and
### File sharing
#### Windows Admin share (net use)
| Event Log | Event ID | Computer |
| ------------------ | ---------------------------------------- | ----------- |
| Security | 4648 | Source |
| SMBClient-Security | 31001 | Source |
| Security | 4624, 4672, 4776, 4768, 4769, 5140, 5145 | Destination |
### Remote login
#### RDP
| Event Log | Event ID | Computer |
| ------------------------------------ | -------------------------------------- | ----------- |
| Security | 4648 | Source |
| RDPClient Operational | 1024, 1025, 1026, 1102 | Source |
| Security | 4624 (logon type 10 or 12), 4778, 4779 | Destination |
| RDPCoreTS Operational | 131, 98, 99 | Destination |
| RemoteConnection Manager Operational | 216, 1149 | Destination |
| RemoteConnection Manager Admin | 1158 | Destination |
| LocalSession Manager Operational | 21, 23, 24, 25, 41 | Destination |
#### SSH
| Event Log | Event ID | Computer |
| --------- | -------------------- | ----------- |
| Security | 4624,4625,4688, 5154 | Destination |
| System | 10016 | Destination |
### Remote Execution
#### Pass-The-Hash-Ticket (WCE)
| Event Log | Event ID | Computer |
| --------- | ----------------------- | ----------- |
| System | 7045, 7036 (WCESERVICE) | Source |
| Security | 4624, 4634 | Destination |
| Security | 4776, 4771, 5156 | DC |
#### Pass-The-Hash-Ticket (Mimikatz)
| Event Log | Event ID | Computer |
| --------- | ---------------------- | ----------- |
| Security | 4624, 4672, 4634 | Destination |
| Security | 4776, 4771, 5156, 4769 | DC |
#### PsExec
| Event Log | Event ID | Computer |
| --------- | ------------------------------------ | ----------- |
| Security | 4648 | Source |
| Security | 4624 (Logon type 3 or 2), 4672, 5140 | Destination |
| System | 7045, 7036 | Destination |
#### Remote Services
| Event Log | Event ID | Computer |
| --------- | ---------------------------- | ----------- |
| Security | 4624 (Logon type 3), 4697 | Destination |
| System | 7034, 7035, 7036, 7040, 7045 | Destination |
#### Scheduled Task
| Event Log | Event ID | Computer |
| -------------------------- | ---------------------------------------- | ----------- |
| Security | 4648 | Source |
| Security | 4672, 4624, 4698, 4702, 4699, 4700, 4701 | Destination |
| Task scheduler Operational | 106, 140, 141, 200, 201 | Destination |
#### WMIC
| Event Log | Event ID | Computer |
| ------------------------ | -------------- | ----------- |
| Security | 4648 | Source |
| Security | 4624, 4672 | Destination |
| WMI Activity Operational | 5857,5860,5861 | Destination |
#### WinRM and Powershell
| Event Log | Event ID | Computer |
| ---------------------- | ------------------------------ | ----------- |
| Security | 4648 | Source |
| WinRM Operational | 6,8,15,16,33 | Source |
| Powershell Operational | 40691, 40692, 8193, 8194, 8197 | Source |
| Security | 4624, 4672 | Destination |
| Powershell Operational | 4103, 4104, 53504 | Destination |
| Powershell | 400, 403, 800 | Destination |
| WinRM | 91, 168 | Destination |
#### SMB
| Event Log | Event ID | Computer |
| ---------------------- | --------------------------------------- | -------- |
| Security | 4688,4624,4656,5140,5142,5143,5144,5145 | Source |
| SMB Server Operational | 4100,4103,4104,800,4104,40961,40962 | Source |
#### DCOM
| Event Log | Event ID | Computer |
| --------- | --------------------------------- | ----------- |
| Security | 4624,4662, 4688, 4697, 4698, 4702 | Destination |
#### File Transfer
| Event Log | Event ID | Computer |
| ----------------------------------------- | ---------- | ----------- |
| Security | 4688 | Destination |
| Microsoft-Windows-PowerShell/ Operational | 4103, 4104 | Destination |