Skip to content

Latest commit

 

History

History
66 lines (64 loc) · 52.9 KB

windows-event-ids-for-situational-awareness.md

File metadata and controls

66 lines (64 loc) · 52.9 KB

Windows Event IDs and Others for Situational Awareness

Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box:

Activity Powershell to read event logs for the
Lock/screensaver
Workstation was locked Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }
Workstation was unlocked Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }
Screensaved invoked Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }
Screensaver dismissed Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }
System ON/OFF
Windows is starting up Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }
System uptime Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }
Windows is shutting down Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }
System has been shut down Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }
System sleep/awake
System entering sleep mode Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }
System returning from sleep Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }
Logons
Successful logons Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }
Logons with explicit credentials Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }
Account logoffs Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }
Access
Outbound RDP Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap
Inbound RDP

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap

| | Outbound WinRM |

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }

| | Inbound WinRM |

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}

| | Inbound Network and Interactive Logons |

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60*24*2) } | % {

$event = New-Object psobject

$subjectUser = $_.properties[2].value + "\" + $_.properties[1].value

$targetUser = $_.properties[6].value + "\" + $_.properties[5].value

$logonType = $_.properties[8].value

$subjectComputer = $_.properties[18].value

if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1|-|^127.0.0.1")

{

switch ($logonType) {

3 { $logonType = "Network" }

7 { $logonType = "Screen Unlock" }

8 { $logonType = "Network Cleartext" }

9 { $logonType = "New Credentials" }

10 { $logonType = "Remote Interactive" }

11 { $logonType = "Cached Interactive" }

}

$event | Add-Member "Time" $_.TimeCreated

$event | Add-Member "Subject" $subjectUser

$event | Add-Member "LogonFrom" $subjectComputer

$event | Add-Member "LoggedAs" $targetUser

$event | Add-Member "Type" $logonType

$events.Add($event) | out-null

}

}

$events

| | Outbound Network Logons |

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648); starttime=(get-date).AddMinutes(-60*24*2) } | % {

$event = New-Object psobject

$subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value

$targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value

$targetInfo = $_.Properties[9].Value

$process = $_.Properties[11].Value

$event | Add-Member "Time" $_.timecreated

$event | Add-Member "SubjectUser" $subjecUser

$event | Add-Member "TargetUser" $targetUser

$event | Add-Member "Target" $targetInfo

$event | Add-Member "Process" $process

if ($targetInfo -notmatch 'localhost')

{

$events.add($event) | out-null

}

}

$events

| | | | | **Activity** | | | Attempt to install a service | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' } | | Scheduled task created | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' } | | Scheduled task updated | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' } | | Sysinternals usage? | Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\\\*' \| select PSChildName, EulaAccepted | | | | | **Security** | | | LSASS started as a protected process | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' } |