Windows Event Logs

Microsoft-Windows-Shell-Core/Operational:

  • EID 9707: Detects the start of the execution of a process from both the Run keys with the full command line.

    • Software\Microsoft\Windows\CurrentVersion\Run

    • Software\Microsoft\Windows\CurrentVersion\RunOnce registry keys with the full command line.

  • EID 9708 : Detects when the aforementioned process finishes execution with the corresponding PID (Useful when the process is still running on the system).

  • EID 28115 : Triggered when a shortcut is added to the “App Resolver Cache”. Indicates when an application is installed.

Microsoft-Windows-VHDMP-Operational:

  • EID 1 : Triggers when you mount a VHD (Virtual Hard Disk).

  • EID 2 : Triggers when you unmount a VHD (Virtual Hard Disk).

  • EID 12 : Contains information about the type, path, handle count of the mounted device.

OAlerts (Office Alerts):

  • EID 300 : Triggers when a prompt is shown inside an office application. For example when the prompt to save the office (excel, word…etc) document is shown an event is generated. Contains information about the name of the files (In the case of saving a file), the office version, the office application that triggered the alert (Word, PowerPoint, Excel…etc).

Microsoft-Windows-WLAN-AutoConfig/Operational:

  • EID 8001 : Triggers when a successful connection to a wireless network occurs.

  • EID 8003 : Triggers when we’re successfully disconnected from a wireless network.

Microsoft-Windows-Winlogon/Operational:

  • EID 811/812 : Triggers when a user logon to a machine. You can check for the “<SessionEnv>” subscriber notification in EID 811 to indicates that a user logged on via RDP.

Note that as far as i can tell the “SessionEnv” subscriber is also logged when a user logon to a machine for the first time (I.E doesn’t have a session). To distinguish between the two (RDP or Local) look for the EID 1/2 shortly after the “SessionEnv” subscriber to indicate a local logon and if not present that means its an RDP logon.

  • EID 1/2 : In my test lab this event is triggered only when a user log in to a computer on which he doesn’t have a session (I.E session disconnected/ doesn’t exist). EID 2 can be used to determine how many times a user typed an incorrect password.

For example, if a user provided a wrong password and EID 2 will be generated with the “Result Code : 1326”. Which indicates an incorrect password. If the password is correct, then the “Result Code : 0” is generated.

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall:

  • EID 2004 : Trigger when “A rule has been added to the Windows Defender Firewall exception list.

  • EID 2005 : Triggers when “A rule has been modified in the Windows Defender Firewall exception list.”

  • EID 2006 : Triggers when “A rule has been deleted in the Windows Defender Firewall exception list.”

References

LogoFinding Forensic Goodness In Obscure Windows Event LogsMedium

PreviousRed Team:NextQuick Wins

Last updated