Windows Log Analysis

PreviousWeb Server Log Analysis NextSystems Forensics

Last updated 2 years ago

Windows Log Analysis

Description: Windows event IDs that help in log analysis. Most events are in the Security log, many only logged on Domain Controller
- “Windows Event logs” or “Event Logs” are files in binary format (with .evtx extension), stored here:
  - Windows 2000 to WinXP/Windows Server 2003: %WinDir%\system32\Config*.evt
  - Windows Server 2008 to 2019, and Windows Vista to Win10: %WinDir%\system32\WinEVT\Logs*.evtx
Event Log Categories
- Application: Events logged by an application (Execution, Deployment error, etc.)
- System: Events logged by the Operating System (Device loading, startup errors, etc.)
- Security: Events that are relevant to the security of the system (Logins and logouts, file deletion, granting of administration permissions, etc.)
- Directory Service: This is a record available only to Domain Controllers, it stores Active Directory (AD) events
- DNS Server: It is a record available only to DNS servers; logs of DNS service are stored
- File Replication Service: Is a record available only for Domain Controllers, it stores Domain Controller Replication events
Events
- User logon/logoff
  - Successful logon: 528, 540, 4624, 5379
  - Failed logon: 529-537, 539, 4625
  - Logoff: 538, 551, 4672, 4634, 4647
  - Special Logon: 4672
  - Logon attempt with explicit credentials: 4648
  - Replay attack detected: 4649
- User account changes
  - Created 624, 4720
  - Enabled 626
  - Changed 642
  - Disabled 629
  - Deleted 630. 4726
  - Memeber added to security enabled group: 4732
- Password changes
  - To self: 628
  - To others: 627
  - Password reset: 4724
- File access events
  - A handle to an object was requested with intent to delete: 4659
  - A handle to an object was requested: 4656
  - The handle to an object was closed: 4658
  - An object was deleted: 4660
  - An attempt was made to access an object: 4663
  - The state of a transaction has changed: 4685
  - The state of a transaction has changed: 4985
- Anamolous events
  - Service started or stopped: 7035, 7036
  - Object access denied (if auditing enabled): 560, 567
  - High number of deleted files: 4663
  - Changes to user rights assignments: 4704, 4717
  - Altered Audit and Account policies: 4719, 4739
  - Security log cleared: 1102
  - Reboot: 1074
  - SIDs filtered: 4675
  - New domain trust: 4706
Resources

PreviousWeb Server Log Analysis NextSystems Forensics

Last updated 2 years ago

Description: Windows event IDs that help in log analysis. Most events are in the Security log, many only logged on Domain Controller
- “Windows Event logs” or “Event Logs” are files in binary format (with .evtx extension), stored here:
  - Windows 2000 to WinXP/Windows Server 2003: %WinDir%\system32\Config*.evt
  - Windows Server 2008 to 2019, and Windows Vista to Win10: %WinDir%\system32\WinEVT\Logs*.evtx
Event Log Categories
- Application: Events logged by an application (Execution, Deployment error, etc.)
- System: Events logged by the Operating System (Device loading, startup errors, etc.)
- Security: Events that are relevant to the security of the system (Logins and logouts, file deletion, granting of administration permissions, etc.)
- Directory Service: This is a record available only to Domain Controllers, it stores Active Directory (AD) events
- DNS Server: It is a record available only to DNS servers; logs of DNS service are stored
- File Replication Service: Is a record available only for Domain Controllers, it stores Domain Controller Replication events
Events
- User logon/logoff
  - Successful logon: 528, 540, 4624, 5379
  - Failed logon: 529-537, 539, 4625
  - Logoff: 538, 551, 4672, 4634, 4647
  - Special Logon: 4672
  - Logon attempt with explicit credentials: 4648
  - Replay attack detected: 4649
- User account changes
  - Created 624, 4720
  - Enabled 626
  - Changed 642
  - Disabled 629
  - Deleted 630. 4726
  - Memeber added to security enabled group: 4732
- Password changes
  - To self: 628
  - To others: 627
  - Password reset: 4724
- File access events
  - A handle to an object was requested with intent to delete: 4659
  - A handle to an object was requested: 4656
  - The handle to an object was closed: 4658
  - An object was deleted: 4660
  - An attempt was made to access an object: 4663
  - The state of a transaction has changed: 4685
  - The state of a transaction has changed: 4985
- Anamolous events
  - Service started or stopped: 7035, 7036
  - Object access denied (if auditing enabled): 560, 567
  - High number of deleted files: 4663
  - Changes to user rights assignments: 4704, 4717
  - Altered Audit and Account policies: 4719, 4739
  - Security log cleared: 1102
  - Reboot: 1074
  - SIDs filtered: 4675
  - New domain trust: 4706
Resources