📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Common Events

Was this helpful?

  1. Forensic Readiness

Windows Event Logs

PreviousForensic ReadinessNextWindows Sysmon

Last updated 3 years ago

Was this helpful?

1. Introduction

Windows logs contain a multitude of structured data within several log providers. In this module you will learn about common logs and how to view important things happening on your system.

Events can be viewed both with the command-line PowerShell and the graphical Event Viewer. Find the latter by typing "Event Viewer" into the Start menu and open it.

Upon opening the Event Viewer, you'll find various event provider categories:

  • Custom Views contains views you can create to collect other events in a single place.

  • Windows Logs contains events from the system (this is the most important category).

  • Applications and Services Logs contains events from everything else (applications and services, both from Microsoft and 3rd parties).

In the latter two categories, you will find various providers such as Application and Security. Clicking on a provider will show its events in a list in the middle. Event lists can be overwhelming, so it is usually a good idea to filter the log for what you are looking for with the Filter Current Log... button on the right. This filter can be cleared with the Clear Filter... button.

2. Common Events

2.1 Password Change (Event ID 4723 and 4724)

One of the events in the event log is the password change event that goes by the event IDs 4723 and 4724. This event gets triggered every time the password of an account gets changed. Most security-related events, including this one, can be found in Windows Logs -> Security. Since there are way too many events to go through them manually, you should set up a filter for the event IDs with the Filter Current Log... button on the right sidebar.

2.2 User Account Created (Event ID 4720)

The User Account creation event ID is 4720 and it is triggered when a new account is created. This event can be used to find out who created an account and when. Since there are many events in the log with this ID, you will have to use a more specific filter this time.

2.3 User added to group (EventID 4728,4732,4756)

There are also various events (4728, 4732 and 4756) for when a user was added to a group

2.4 Windows Firewall

Windows Firewall events show changes to the firewall, such as allowing network access to a new service or changing which ports allow inbound connections. These events can be investigated for misconfigurations or unauthorized changes to the Firewall. Unlike the other events covered so far, this one belongs under an application log provider and will not appear in the Windows Logs category. Instead, you must visit Applications and Services Logs -> Microsoft -> Windows -> Windows Firewall With Advanced Security -> Firewall.

  • Locate the Windows Firewall logs under Applications and Services Logs -> Microsoft -> Windows -> Windows Firewall With Advanced Security -> Firewall.

  • Find the event for the Allow Database access firewall rule.

  • Answer the question below:

What is the full application path of the event?

2.5 Registry Access

If you were to look for events related to the registry in the event log, you wouldn't find any! This is because there are many kinds of events that are not logged by default and this includes registry events. However, logging for these events can be enabled in the Local Security Policy. Find it in the start menu and go to the Local Policies -> Audit Policy section. From here, you can choose to Audit object access, which among other resources also includes logging events for the registry.