Windows Event Logs and Incident Investigation

I have been looking at proof of execution artifacts a lot and keep coming back to event logs. rather than just focus on proof of execution I want to provide a list of the useful windows events I have come across which are of use in a forensic/incident investigation.

Tip - Windows XP events can be converted to Vista+ events by adding 4096 to the Event ID.

Locations of Logs

The default locations are as follows:

XP Era

  • \%SystemRoot%\System32\Config\*.evt
Vista+

  • \%SystemRoot%\System32\winevt\Logs\*.evtx
Custom Log Locations:

Log locations can be changes by the user, you can check this in the Registry in the following HKLM Keys:

Application Events:

  • HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application
Hardware Events:

  • HKLN\SYSTEM\CurrentControlSet\services\eventlog\HardwareEvents
Security Events:

  • HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security
System Events:

  • HKLM\SYSTEM\CurrentControlSet\services\eventlog\System

Useful Event IDs:
XP Event ID
Vista+ Event ID
Description
Log Name
528
4624
Successful Logon
Security
529
4625
Failed Login
Security
4647
user initiated logon
4688
A new process has been created
4689
A process has exited
624
4720
A user account was created
Security
4720
Account Created
4722
Account Enabled
4723
User changed own password
4724
Privileged User changed this user’s password
4725
Account Disabled
4726
Account Deleted
632
4728
A member was added to a security-enabled global group
Security
636
4732
A member was added to a security-enabled local group
Security
4738
Account Changed
4740
Account Locked out
4767
Account Unlocked
680
4776
Successful /Failed Account Authentication
Security
4778
RDP reconnected
4779
RDP disconnected
4781
Account Name change
4800
Workstation Locked
4801
Workstation unlocked
4802
Screen saver loaded
Security
4803
The screen saver was dismissed
Security
2934
7030
Service Creation Errors
System
2944
7040
The start type of the IPSEC Services service was changed from disabled to auto start.
System
2949
7045
Service Creation
System


Logon Type Codes

One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type) but Windows display this information as a number and here is a list of the logon type and their explanation:
Logon Type
Description
2
Logon Via Console
3
Network logon; a user or computer logged onto this computer from the network
4
Batch Logon
5
Windows Service Logon
7
Credentials used to unlock screen
8
Network Logon sending credentials (cleartext)
9
Different credentials used than logged on user
10
Remote interactive logon (RDP)
11
Cached credentials used to logon
12
Cached remote interactive
13
Cached unlock (Similar to logon type 7)

Tools:

 https://eventlogxp.com/
https://www.nirsoft.net/utils/full_event_log_view.html
https://www.microsoft.com/en-us/download/details.aspx?id=24659

 or you could always use the Windows Event Viewer, after all that's what it's there for.

Reference:

 https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949
https://eventlogxp.com/blog/process-tracking-with-event-log-explorer/


Comments

Post a Comment

Popular posts from this blog

Did It Execute? AppCompatCache

Image
Application Compatability(or Shim) Cache The Application Compatibility Cache, which appears to be more commonly referred to as the ShimCache, is used by an element of windows dedicated to, yes you guessed it Application Compatibility. The basics concept of this feature is; when programs are written, they are usually compiled to work with the OS of the day. So as long as everything is as expected, the program runs, calls API's and the OS plays nice (round pegs in round holes). As you can imagine only a clairvoyant would know what changes were to be made in the future, and thus makes the likelihood of any programs being able to future proof themselves highly unlikely. The other problem that exists; is that current programs would be created with excess code to ensure they work on all other previous version. These both lead to the problem of the square peg to a round hole. Microsoft solved this problem for us, as they know what an API is calling and the differences be
Read more

PowerShell FILETIME conversion

I intend to write about the uses of PowerShell on live systems investigations at a later date, for now thought I thought it worth sharing a useful time conversion. If you come across a windows FILETIME and would like it in a human readable format, you can use the following via PowerShell: [DateTime]::FromFileTime(<FILETIME>) The Windows FILETIME is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). e.g. PS C:\> [DateTime]::FromFileTime(130689408926752346) 20 February 2015 21:21:32
Read more

Did It Execute? amcahce.hve

amcache.hve? I first came across this when looking into the AppCompatCache, as this file is located in a directory which you would think stores the AppCompatCache Data: <DRIVE>\Windows\AppCompat\Programs\Amcache.hve When researching the Windows Application Comparability however, I found no reference of this hive. Further research indicates it is part of Windows Application Experience and Compatibility features and replaced the RecentFilceCache.bcf file from Windows 8 onwards. Tools: https://github.com/EricZimmerman/AmcacheParser Reference: https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Read more