Comment on page

Windows Event IDs and Others for Situational Awareness

Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for  situational awareness, once you are on a box:
Activity
Powershell to read event logs for the
Lock/screensaver
​
Workstation was locked
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }
Workstation was unlocked
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }
Screensaved invoked
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }
Screensaver dismissed
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }
​
​
System ON/OFF
​
Windows is starting up
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }
System uptime
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }
Windows is shutting down
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }
System has been shut down
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }
​
​
System sleep/awake
​
System entering sleep mode
Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }
System returning from sleep
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }
​
​
Logons
​
Successful logons
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }
Logons with explicit credentials
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }
Account logoffs
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }
​
​
Access
​
Outbound RDP
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap
Inbound RDP
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap
​
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } | select timecreated, message | ft -AutoSize -Wrap

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap
Outbound WinRM
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }
​
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }
Inbound WinRM
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }
​
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}
Inbound Network and Interactive Logons
$events = New-Object System.Collections.ArrayList
​
Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60*24*2) } | % {
    $event = New-Object psobject
    $subjectUser = $_.properties[2].value + "\" + $_.properties[1].value
    $targetUser = $_.properties[6].value + "\" + $_.properties[5].value
    $logonType = $_.properties[8].value
    $subjectComputer = $_.properties[18].value
    if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1|-|^127.0.0.1")
    {
        switch ($logonType) {
            3 { $logonType = "Network" }
            7 { $logonType = "Screen Unlock" }
            8 { $logonType = "Network Cleartext" }
            9 { $logonType = "New Credentials" }
            10 { $logonType = "Remote Interactive" }
            11 { $logonType = "Cached Interactive" }
        }
        $event | Add-Member "Time" $_.TimeCreated
        $event | Add-Member "Subject" $subjectUser
        $event | Add-Member "LogonFrom" $subjectComputer
        $event | Add-Member "LoggedAs" $targetUser
        $event | Add-Member "Type" $logonType
        $events.Add($event) | out-null
    }
}
​
$events
Outbound Network Logons
$events = New-Object System.Collections.ArrayList
 
Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648); starttime=(get-date).AddMinutes(-60*24*2) } | % {
    $event = New-Object psobject
    $subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value
    $targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value
    $targetInfo = $_.Properties[9].Value
    $process = $_.Properties[11].Value
 
    $event | Add-Member "Time" $_.timecreated
    $event | Add-Member "SubjectUser" $subjecUser
    $event | Add-Member "TargetUser" $targetUser
    $event | Add-Member "Target" $targetInfo
    $event | Add-Member "Process" $process
 
    if ($targetInfo -notmatch 'localhost')
    {
        $events.add($event) | out-null
    }
}
 
$events
​
​
Activity
​
Attempt to install a service
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }
Scheduled task created
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }
Scheduled task updated
Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }
Sysinternals usage?
Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted
​
​
Security
​
LSASS started as a protected process
Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }

offensive security - Previous

Enumeration and Discovery

Enumerating COM Objects and their Methods

Last modified 2yr ago

Activity	Powershell to read event logs for the
Lock/screensaver
Workstation was locked	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }
Workstation was unlocked	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }
Screensaved invoked	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }
Screensaver dismissed	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }

System ON/OFF
Windows is starting up	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }
System uptime	Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }
Windows is shutting down	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }
System has been shut down	Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }

System sleep/awake
System entering sleep mode	Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }
System returning from sleep	Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }

Logons
Successful logons	Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }
Logons with explicit credentials	Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }
Account logoffs	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }

Access
Outbound RDP	Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } \| select timecreated, message \| ft -AutoSize -Wrap
Inbound RDP	Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } \| select timecreated, message \| ft -AutoSize -Wrap Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } \| select timecreated, message \| ft -AutoSize -Wrap Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } \| ft -AutoSize -Wrap
Outbound WinRM	Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 } Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }
Inbound WinRM	Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 } Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } \| ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov\|CIMWin32'}
Inbound Network and Interactive Logons	$events = New-Object System.Collections.ArrayList Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60242) } \| % { $event = New-Object psobject $subjectUser = $_.properties[2].value + "\" + $_.properties[1].value $targetUser = $_.properties[6].value + "\" + $_.properties[5].value $logonType = $_.properties[8].value $subjectComputer = $_.properties[18].value if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1\|-\|^127.0.0.1") { switch ($logonType) { 3 { $logonType = "Network" } 7 { $logonType = "Screen Unlock" } 8 { $logonType = "Network Cleartext" } 9 { $logonType = "New Credentials" } 10 { $logonType = "Remote Interactive" } 11 { $logonType = "Cached Interactive" } } $event \| Add-Member "Time" $_.TimeCreated $event \| Add-Member "Subject" $subjectUser $event \| Add-Member "LogonFrom" $subjectComputer $event \| Add-Member "LoggedAs" $targetUser $event \| Add-Member "Type" $logonType $events.Add($event) \| out-null } } $events
Outbound Network Logons	$events = New-Object System.Collections.ArrayList Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648); starttime=(get-date).AddMinutes(-60242) } \| % { $event = New-Object psobject $subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value $targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value $targetInfo = $_.Properties[9].Value $process = $_.Properties[11].Value $event \| Add-Member "Time" $_.timecreated $event \| Add-Member "SubjectUser" $subjecUser $event \| Add-Member "TargetUser" $targetUser $event \| Add-Member "Target" $targetInfo $event \| Add-Member "Process" $process if ($targetInfo -notmatch 'localhost') { $events.add($event) \| out-null } } $events

Activity
Attempt to install a service	Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }
Scheduled task created	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }
Scheduled task updated	Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }
Sysinternals usage?	Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' \| select PSChildName, EulaAccepted

Security
LSASS started as a protected process	Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }