Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Security Information and Event Monitoring

Windows Log Analysis

PreviousWeb Server Log AnalysisNextSystems Forensics

Last updated 2 years ago

  • Description: Windows event IDs that help in log analysis. Most events are in the Security log, many only logged on Domain Controller

    • “Windows Event logs” or “Event Logs” are files in binary format (with .evtx extension), stored here:

      • Windows 2000 to WinXP/Windows Server 2003: %WinDir%\system32\Config*.evt

      • Windows Server 2008 to 2019, and Windows Vista to Win10: %WinDir%\system32\WinEVT\Logs*.evtx

  • Event Log Categories

    • Application: Events logged by an application (Execution, Deployment error, etc.)

    • System: Events logged by the Operating System (Device loading, startup errors, etc.)

    • Security: Events that are relevant to the security of the system (Logins and logouts, file deletion, granting of administration permissions, etc.)

    • Directory Service: This is a record available only to Domain Controllers, it stores Active Directory (AD) events

    • DNS Server: It is a record available only to DNS servers; logs of DNS service are stored

    • File Replication Service: Is a record available only for Domain Controllers, it stores Domain Controller Replication events

  • Events

    • User logon/logoff

      • Successful logon: 528, 540, 4624, 5379

      • Failed logon: 529-537, 539, 4625

      • Logoff: 538, 551, 4672, 4634, 4647

      • Special Logon: 4672

      • Logon attempt with explicit credentials: 4648

      • Replay attack detected: 4649

    • User account changes

      • Created 624, 4720

      • Enabled 626

      • Changed 642

      • Disabled 629

      • Deleted 630. 4726

      • Memeber added to security enabled group: 4732

    • Password changes

      • To self: 628

      • To others: 627

      • Password reset: 4724

    • File access events

      • A handle to an object was requested with intent to delete: 4659

      • A handle to an object was requested: 4656

      • The handle to an object was closed: 4658

      • An object was deleted: 4660

      • An attempt was made to access an object: 4663

      • The state of a transaction has changed: 4685

      • The state of a transaction has changed: 4985

    • Anamolous events

      • Service started or stopped: 7035, 7036

      • Object access denied (if auditing enabled): 560, 567

      • High number of deleted files: 4663

      • Changes to user rights assignments: 4704, 4717

      • Altered Audit and Account policies: 4719, 4739

      • Security log cleared: 1102

      • Reboot: 1074

      • SIDs filtered: 4675

      • New domain trust: 4706

  • Resources

Detecting a Security Threat in Event Logs
Windows Event IDs
Events to Monitor
Critical Log Review Checklist for Security Incidents
Windows security auditing — Event Log FAQ
Windows Security Event Logs: my own cheatsheet
Common Windows IDs for SOC
MyEventLog
Github Eventlog Database