In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .
Here is of the most useful events for Forensics/Incident response:
Event ID
Description
Log Name
4624
Successful Logon
Security
4625
Failed Login
Security
4776
Successful /Failed Account Authentication
Security
4720
A user account was created
Security
4732
A member was added to a
security-enabled local group
Security
4728
A member was added to a security-enabled global group
Security
7030
Service Creation Errors
System
7045
Service Creation
System
One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type ) but Windows display this information as a number and here is a list of the logon type and their explanation
Logon Type
Explanation
2
Logon via console
3
Network Logon, A user or computer logged on to this computer from the network.
4
Batch logon
5
Windows Service Logon
7
Credentials used to unlock screen
8
Network logon sending credentials (cleartext)
9
Different credentials used than logged on user
10
Remote interactive logon (RDP)
11
Cached credentials used to logon
12
Cached remote interactive
13
Cached unlock (Similar to logon type 7)
In the next diary I would show some examples how to use PowerShell to search Windows Events of a compromised system
Basil
47 POSTS ISC HANDLER Reply Subscribe 1 week ago Good one – would like to add more
Logon failure events
0xC0000064 User name does not exist 0xC000006A User name is correct but the password is wrong 0xC0000234 User is currently locked out 0xC0000072 Account is currently disabled 0xC000006F User tried to logon outside his day of week or time of day restrictions 0xC0000070 Workstation restriction 0xC00000193 Account expiration 0xC0000071 Expired password 0xC0000133 Clocks between DC and other computer too far out of sync 0xC0000224 User is required to change password at next logon 0xC0000225 Evidently a bug in Windows and not a risk 0xC000015b “The user has not been granted the requested logon”
Logon sessions
4647 user initiated logon 4800 Workstation Locked 4801 Workstation unlocked 4802 Screen saver loaded 4803 Screen saver dismissed 4778 RDP reconnected 4779 RDP disconnected
User account changes
4720 Created 4722 Enabled 4723 User changed own password 4724 Privileged User changed this user’s password 4725 Disabled 4726 Deleted 4738 Changed 4740 Locked out 4767 Unlocked 4781 Name change makflwana
17 POSTS POSTS Reply Quote 1 week ago Should probably also include 4756 – user added to security enabled universal group Jaybone
26 POSTS POSTS Reply Quote 1 week ago I keep this one in Onenote… very relevant when troubleshooting Windows event logs:
Logon Types Type 2 – Interactive (console login) Type 3 – Network Type 4 – Batch (scheduled tasks) Type 5 – Services Type 7 – Unlock Type 8 – Network (cleartext) Type 9 – NewCredentials (RunAs) Type 10 – RemoteInteractive (RDP connections) Type 11 – CachedInteractive (not connected to domain)
Source: https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/