Red Team Guides Red Team Recipe DevSecOps Guides

eventvwr

Cheatsheet

1. Opening Event Viewer

  • Use eventvwr.msc from the Run dialog or search for "Event Viewer" in the Start menu.

2. Filtering Events

  • Use the "Filter Current Log" option to narrow down events based on criteria like Event ID, Keywords, etc.

3. Creating Custom Views

  • Use "Create Custom View" to save specific filters for quick access.

4. Exporting Logs

  • Use the "Save All Events As" option to export logs in various formats (e.g., CSV, XML).

5. Clearing Logs

  • Use the "Clear Log" option to delete all events from a specific log.

6. Attaching Tasks to Events

  • Use the "Attach Task To This Event" option to perform specific actions when an event occurs.

7. Using Event Viewer with PowerShell

  • Leverage PowerShell cmdlets like Get-EventLog and Get-WinEvent to query and manage event logs.

8. Understanding Event Levels

  • Familiarize yourself with event levels (Information, Warning, Error, etc.) to prioritize investigations.

9. Understanding Event Sources

  • Identify the source of events to understand which application or component logged them.

10. Analyzing Event Details

  • Dive into the "Details" tab of an event to understand its specifics and troubleshoot effectively.

Event IDs in Microsoft Event Viewer

1. Event ID 4624: Successful Logon

  • Indicates a user successfully logged on to a computer.

2. Event ID 4625: Logon Failure

  • Indicates a failed logon attempt.

3. Event ID 4634: Logoff

  • Indicates a user logoff.

4. Event ID 4648: Explicit Credential Logon

  • Indicates a logon using explicit credentials.

5. Event ID 4663: File/Directory Access

  • Indicates an attempt to access a file or directory.

6. Event ID 4672: Special Privileges Assigned

  • Indicates special privileges assigned to a new logon.

7. Event ID 4688: Process Start

  • Indicates a new process creation.

8. Event ID 4689: Process End

  • Indicates a process termination.

9. Event ID 4698: Scheduled Task Created

  • Indicates a scheduled task was created.

10. Event ID 4700: Scheduled Task Enabled

  • Indicates a scheduled task was enabled.

11. Event ID 4719: System Audit Policy Change

  • Indicates a change in audit policy.

12. Event ID 4720: User Account Created

  • Indicates a user account was created.

13. Event ID 4722: User Account Enabled

  • Indicates a user account was enabled.

14. Event ID 4725: User Account Disabled

  • Indicates a user account was disabled.

15. Event ID 4738: User Account Changed

  • Indicates a user account was changed.

16. Event ID 4740: User Account Locked Out

  • Indicates a user account was locked out.

17. Event ID 4776: Credential Validation

  • Indicates a domain controller attempted to validate credentials.

18. Event ID 4798: User Account Query

  • Indicates a query was issued for a user account.

19. Event ID 4904: Security Auditing Setting Modification

  • Indicates an attempt to modify the per-user auditing settings.

20. Event ID 4946: Windows Firewall Rule Added

  • Indicates a new Windows Firewall rule was added.

Example PowerShell Commands

Query Specific Event ID

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 10

Query Events within a Date Range

Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime='MM/DD/YYYY 00:00:00'; EndTime='MM/DD/YYYY 23:59:59'}

Query Events from a Specific Log Source

Get-WinEvent -FilterHashtable @{LogName='Security'; ProviderName='Microsoft-Windows-Security-Auditing'}
PreviousEQLNextSysmon

Last updated