Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box:
| Activity | Powershell to read event logs for the |
|---|---|
| Lock/screensaver | |
| Workstation was locked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' } |
| Workstation was unlocked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' } |
| Screensaved invoked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' } |
| Screensaver dismissed | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' } |
| System ON/OFF | |
| Windows is starting up | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' } |
| System uptime | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' } |
| Windows is shutting down | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' } |
| System has been shut down | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' } |
| System sleep/awake | |
| System entering sleep mode | Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 } |
| System returning from sleep | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" } |
| Logons | |
| Successful logons | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' } |
| Logons with explicit credentials | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' } |
| Account logoffs | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' } |
| Access | |
| Outbound RDP | Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap |
| Inbound RDP |
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational';
id=131 } | select timecreated, message | ft -AutoSize -Wrap
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap |
| Outbound WinRM |
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 } Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 } |
| Inbound WinRM |
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 } Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'} |
| Inbound Network and Interactive Logons |
$events = New-Object System.Collections.ArrayList Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60*24*2) } | % { $event = New-Object psobject $subjectUser = $_.properties[2].value + "\" + $_.properties[1].value $targetUser = $_.properties[6].value + "\" + $_.properties[5].value $logonType = $_.properties[8].value $subjectComputer = $_.properties[18].value if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1|-|^127.0.0.1") { switch ($logonType) { 3 { $logonType = "Network" } 7 { $logonType = "Screen Unlock" } 8 { $logonType = "Network Cleartext" } 9 { $logonType = "New Credentials" } 10 { $logonType = "Remote Interactive" } 11 { $logonType = "Cached Interactive" } } $event | Add-Member "Time" $_.TimeCreated $event | Add-Member "Subject" $subjectUser $event | Add-Member "LogonFrom" $subjectComputer $event | Add-Member "LoggedAs" $targetUser $event | Add-Member "Type" $logonType $events.Add($event) | out-null } } $events |
| Outbound Network Logons |
$events = New-Object System.Collections.ArrayList
Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648);
starttime=(get-date).AddMinutes(-60*24*2) } | % {
$event = New-Object psobject
$subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value
$targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value
$targetInfo = $_.Properties[9].Value
$process = $_.Properties[11].Value
$event | Add-Member "Time" $_.timecreated
$event | Add-Member "SubjectUser" $subjecUser
$event | Add-Member "TargetUser" $targetUser
$event | Add-Member "Target" $targetInfo
$event | Add-Member "Process" $process
if ($targetInfo -notmatch 'localhost')
{
$events.add($event) | out-null
}
}
$events |
| Activity | |
| Attempt to install a service | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' } |
| Scheduled task created | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' } |
| Scheduled task updated | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' } |
| Sysinternals usage? | Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted |
| Security | |
| LSASS started as a protected process | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' } |