Windows Event IDs and Others for Situational Awareness

Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box:

Activity

Powershell to read event logs for the

Lock/screensaver

Workstation was locked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }

Workstation was unlocked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }

Screensaved invoked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }

Screensaver dismissed

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }

System ON/OFF

Windows is starting up

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }

System uptime

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }

Windows is shutting down

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }

System has been shut down

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }

System sleep/awake

System entering sleep mode

Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }

System returning from sleep

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }

Logons

Successful logons

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }

Logons with explicit credentials

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }

Account logoffs

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }

Access

Outbound RDP

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap

Inbound RDP

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } | select timecreated, message | ft -AutoSize -Wrap

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap

Outbound WinRM

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }

Inbound WinRM

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}

Activity

Attempt to install a service

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }

Scheduled task created

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }

Scheduled task updated

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }

Sysinternals usage?

Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted

Security

LSASS started as a protected process

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }