# Windows Event IDs and Others for Situational Awareness Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box: | Activity | Powershell to read event logs for the | | | | | | -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | ------------------ | | **Lock/screensaver** | | | | | | | Workstation was locked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' } | | | | | | Workstation was unlocked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' } | | | | | | Screensaved invoked | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' } | | | | | | Screensaver dismissed | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' } | | | | | | | | | | | | | **System ON/OFF** | | | | | | | Windows is starting up | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' } | | | | | | System uptime | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' } | | | | | | Windows is shutting down | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' } | | | | | | System has been shut down | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' } | | | | | | | | | | | | | **System sleep/awake** | | | | | | | System entering sleep mode | Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 } | | | | | | System returning from sleep | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" } | | | | | | | | | | | | | **Logons** | | | | | | | Successful logons | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' } | | | | | | Logons with explicit credentials | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' } | | | | | | Account logoffs | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' } | | | | | | | | | | | | | **Access** | | | | | | | Outbound RDP | Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } \| select timecreated, message \| ft -AutoSize -Wrap | | | | | | Inbound RDP |

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } | select timecreated, message | ft -AutoSize -Wrap |

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap

| | Outbound WinRM |

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }

| | Inbound WinRM |

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}

| | Inbound Network and Interactive Logons |

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60*24*2) } | % {

$event = New-Object psobject

$subjectUser = $_.properties[2].value + "\" + $_.properties[1].value

$targetUser = $_.properties[6].value + "\" + $_.properties[5].value

$logonType = $_.properties[8].value

$subjectComputer = $_.properties[18].value

if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1|-|^127.0.0.1")

{

switch ($logonType) {

3 { $logonType = "Network" }

7 { $logonType = "Screen Unlock" }

8 { $logonType = "Network Cleartext" }

9 { $logonType = "New Credentials" }

10 { $logonType = "Remote Interactive" }

11 { $logonType = "Cached Interactive" }

}

$event | Add-Member "Time" $_.TimeCreated

$event | Add-Member "Subject" $subjectUser

$event | Add-Member "LogonFrom" $subjectComputer

$event | Add-Member "LoggedAs" $targetUser

$event | Add-Member "Type" $logonType

$events.Add($event) | out-null

}

}

$events

| | Outbound Network Logons |

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648); starttime=(get-date).AddMinutes(-60*24*2) } | % {

$event = New-Object psobject

$subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value

$targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value

$targetInfo = $_.Properties[9].Value

$process = $_.Properties[11].Value

$event | Add-Member "Time" $_.timecreated

$event | Add-Member "SubjectUser" $subjecUser

$event | Add-Member "TargetUser" $targetUser

$event | Add-Member "Target" $targetInfo

$event | Add-Member "Process" $process

if ($targetInfo -notmatch 'localhost')

{

$events.add($event) | out-null

}

}

$events

| | | | | **Activity** | | | Attempt to install a service | Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' } | | Scheduled task created | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' } | | Scheduled task updated | Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' } | | Sysinternals usage? | Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\\\*' \| select PSChildName, EulaAccepted | | | | | **Security** | | | LSASS started as a protected process | Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' } |