Windows Event Log Anlaysis Tips - caitlinmallen/TechWiki GitHub Wiki

  • Event logs located on Windows 8 & up - C:/Windows/System32/winevt/Logs
    • Lower versions in root of Sys32
  • Event Logs looked at
    • Microsoft-Windows-TerminalServices-LocalSession-Manager%4Operational
    • Security
    • System
  • Terminal Services Logs
    • RDP logins
    • Looking for lateral movement
      • Event IDs
        • 21 - Logon
        • 23 - Logoff
        • 25 - Reconnect
        • 24 - Disconnect
  • Security Logs
    • All types of logons and info
      • Logon types
        • 3 - Network logon: Accessing a shared folder, PSExec or banking Trojans
        • 10 - RDP logons and in Terminal Services
      • Event IDs
        • 4624 - Successful logon
        • 4625 - Failed logon
        • 4720 - New user creation
  • System Logs
    • Events logged by the operating system like installs, system/devices changes, drivers, etc.
    • Event IDs
      • 7045 - New service install
      • 104 -Logs clear
  • Event Log Explorer
    • New log file: File -> Open Log File -> New API
    • Changing Timezones: View -> Time correction
      • Default to local machine's timezone
    • Filters
      • Adding filter: Click filter icon
        • Set conditions, event IDs, etc
      • Remove filter: Click filter icon with X through it
      • Custom Columns: View -> Custom Columns
      • Exporting logs: File -> Export log
  • Helpful Links/Guides to follow