Windows Event Logs
Microsoft-Windows-Shell-Core/Operational:
EID 9707: Detects the start of the execution of a process from both the Run keys with the full command line.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce registry keys with the full command line.
EID 9708 : Detects when the aforementioned process finishes execution with the corresponding PID (Useful when the process is still running on the system).
EID 28115 : Triggered when a shortcut is added to the âApp Resolver Cacheâ. Indicates when an application is installed.
Microsoft-Windows-VHDMP-Operational:
EID 1 : Triggers when you mount a VHD (Virtual Hard Disk).
EID 2 : Triggers when you unmount a VHD (Virtual Hard Disk).
EID 12 : Contains information about the type, path, handle count of the mounted device.
OAlerts (Office Alerts):
EID 300 : Triggers when a prompt is shown inside an office application. For example when the prompt to save the office (excel, wordâŚetc) document is shown an event is generated. Contains information about the name of the files (In the case of saving a file), the office version, the office application that triggered the alert (Word, PowerPoint, ExcelâŚetc).
Microsoft-Windows-WLAN-AutoConfig/Operational:
EID 8001 : Triggers when a successful connection to a wireless network occurs.
EID 8003 : Triggers when weâre successfully disconnected from a wireless network.
Microsoft-Windows-Winlogon/Operational:
EID 811/812 : Triggers when a user logon to a machine. You can check for the â<SessionEnv>â subscriber notification in EID 811 to indicates that a user logged on via RDP.
Note that as far as i can tell the âSessionEnvâ subscriber is also logged when a user logon to a machine for the first time (I.E doesnât have a session). To distinguish between the two (RDP or Local) look for the EID 1/2 shortly after the âSessionEnvâ subscriber to indicate a local logon and if not present that means its an RDP logon.
EID 1/2 : In my test lab this event is triggered only when a user log in to a computer on which he doesnât have a session (I.E session disconnected/ doesnât exist). EID 2 can be used to determine how many times a user typed an incorrect password.
For example, if a user provided a wrong password and EID 2 will be generated with the âResult Code : 1326â. Which indicates an incorrect password. If the password is correct, then the âResult Code : 0â is generated.
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall:
EID 2004 : Trigger when âA rule has been added to the Windows Defender Firewall exception list.
EID 2005 : Triggers when âA rule has been modified in the Windows Defender Firewall exception list.â
EID 2006 : Triggers when âA rule has been deleted in the Windows Defender Firewall exception list.â
References
Last updated