Windows Events log for IR/Forensics ,Part 1
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .
Here is of the most useful events for Forensics/Incident response:
|
Event ID |
Description |
Log Name |
|
4624 |
Successful Logon |
Security |
|
4625 |
Failed Login |
Security |
|
4776 |
Successful /Failed Account Authentication |
Security |
|
4720 |
A user account was created |
Security |
|
4732 |
A member was added to a security-enabled local group |
Security |
|
4728 |
A member was added to a security-enabled global group |
Security |
|
7030 |
Service Creation Errors |
System |
|
7045 |
Service Creation |
System |
One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type ) but Windows display this information as a number and here is a list of the logon type and their explanation
|
Logon Type |
Explanation |
|
2 |
Logon via console |
|
3 |
Network Logon, A user or computer logged on to this computer from the network. |
|
4 |
Batch logon |
|
5 |
Windows Service Logon |
|
7 |
Credentials used to unlock screen |
|
8 |
Network logon sending credentials (cleartext) |
|
9 |
Different credentials used than logged on user |
|
10 |
Remote interactive logon (RDP) |
|
11 |
Cached credentials used to logon |
|
12 |
Cached remote interactive |
|
13 |
Cached unlock (Similar to logon type 7) |
In the next diary I would show some examples how to use PowerShell to search Windows Events of a compromised system
Comments