Windows Events log for IR/Forensics ,Part 1
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .
Here is of the most useful events for Forensics/Incident response:
Event ID |
Description |
Log Name |
4624 |
Successful Logon |
Security |
4625 |
Failed Login |
Security |
4776 |
Successful /Failed Account Authentication |
Security |
4720 |
A user account was created |
Security |
4732 |
A member was added to a security-enabled local group |
Security |
4728 |
A member was added to a security-enabled global group |
Security |
7030 |
Service Creation Errors |
System |
7045 |
Service Creation |
System |
One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type ) but Windows display this information as a number and here is a list of the logon type and their explanation
Logon Type |
Explanation |
2 |
Logon via console |
3 |
Network Logon, A user or computer logged on to this computer from the network. |
4 |
Batch logon |
5 |
Windows Service Logon |
7 |
Credentials used to unlock screen |
8 |
Network logon sending credentials (cleartext) |
9 |
Different credentials used than logged on user |
10 |
Remote interactive logon (RDP) |
11 |
Cached credentials used to logon |
12 |
Cached remote interactive |
13 |
Cached unlock (Similar to logon type 7) |
In the next diary I would show some examples how to use PowerShell to search Windows Events of a compromised system
Comments
Logon failure events
0xC0000064 User name does not exist
0xC000006A User name is correct but the password is wrong
0xC0000234 User is currently locked out
0xC0000072 Account is currently disabled
0xC000006F User tried to logon outside his day of week or time of day restrictions
0xC0000070 Workstation restriction
0xC00000193 Account expiration
0xC0000071 Expired password
0xC0000133 Clocks between DC and other computer too far out of sync
0xC0000224 User is required to change password at next logon
0xC0000225 Evidently a bug in Windows and not a risk
0xC000015b "The user has not been granted the requested logon"
Logon sessions
4647 user initiated logon
4800 Workstation Locked
4801 Workstation unlocked
4802 Screen saver loaded
4803 Screen saver dismissed
4778 RDP reconnected
4779 RDP disconnected
User account changes
4720 Created
4722 Enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 Disabled
4726 Deleted
4738 Changed
4740 Locked out
4767 Unlocked
4781 Name change
Anonymous
Sep 19th 2016
8 years ago
Anonymous
Sep 19th 2016
8 years ago
Logon Types
Type 2 - Interactive (console login)
Type 3 - Network
Type 4 - Batch (scheduled tasks)
Type 5 - Services
Type 7 - Unlock
Type 8 - Network (cleartext)
Type 9 - NewCredentials (RunAs)
Type 10 - RemoteInteractive (RDP connections)
Type 11 - CachedInteractive (not connected to domain)
Anonymous
Sep 19th 2016
8 years ago