Windows Event IDs and Others for Situational Awareness

Below is a living list of Windows event IDs and other miscellaenous snippets, that may be useful for situational awareness, once you are on a box:

Activity

Powershell to read event logs for the

Lock/screensaver

Workstation was locked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }

Workstation was unlocked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }

Screensaved invoked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }

Screensaver dismissed

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }

System ON/OFF

Windows is starting up

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }

System uptime

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }

Windows is shutting down

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }

System has been shut down

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }

System sleep/awake

System entering sleep mode

Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }

System returning from sleep

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }

Logons

Successful logons

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }

Logons with explicit credentials

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }

Account logoffs

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }

Access

Outbound RDP

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap

Inbound RDP

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } | select timecreated, message | ft -AutoSize -Wrap

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap

Outbound WinRM

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }

Inbound WinRM

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}

Inbound Network and Interactive Logons

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60*24*2) } | % {

$event = New-Object psobject

$subjectUser = $_.properties[2].value + "\" + $_.properties[1].value

$targetUser = $_.properties[6].value + "\" + $_.properties[5].value

$logonType = $_.properties[8].value

$subjectComputer = $_.properties[18].value

if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1|-|^127.0.0.1")

{

switch ($logonType) {

3 { $logonType = "Network" }

7 { $logonType = "Screen Unlock" }

8 { $logonType = "Network Cleartext" }

9 { $logonType = "New Credentials" }

10 { $logonType = "Remote Interactive" }

11 { $logonType = "Cached Interactive" }

}

$event | Add-Member "Time" $_.TimeCreated

$event | Add-Member "Subject" $subjectUser

$event | Add-Member "LogonFrom" $subjectComputer

$event | Add-Member "LoggedAs" $targetUser

$event | Add-Member "Type" $logonType

$events.Add($event) | out-null

}

}

$events

Outbound Network Logons

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648); starttime=(get-date).AddMinutes(-60*24*2) } | % {

$event = New-Object psobject

$subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value

$targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value

$targetInfo = $_.Properties[9].Value

$process = $_.Properties[11].Value

$event | Add-Member "Time" $_.timecreated

$event | Add-Member "SubjectUser" $subjecUser

$event | Add-Member "TargetUser" $targetUser

$event | Add-Member "Target" $targetInfo

$event | Add-Member "Process" $process

if ($targetInfo -notmatch 'localhost')

{

$events.add($event) | out-null

}

}

$events

Activity

Attempt to install a service

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }

Scheduled task created

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }

Scheduled task updated

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }

Sysinternals usage?

Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted

Security

LSASS started as a protected process

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }