Skip to content

Latest commit

 

History

History
174 lines (119 loc) · 14.5 KB

readme.md

File metadata and controls

174 lines (119 loc) · 14.5 KB

Lists

  • keywords1 - Powershell script to list all eventlog keywords and the resulting list (from Win10 Pro version 1803)
  • keywords2 - Powershell script to list all event specific generated keywords and sample list (from the Win10 Pro version 1803 "Microsoft-Windows-PushNotifications-Platform" event provider)
  • OpCodes - Powershell script to list all OpCodes, their Name & DisplayName for AllEvent providers, and 2 csv lists
  • 'Task Categories' - Powershell script to list all Task Categories, their Name & DisplayName for AllEvent providers. Full csv list here.

Win 10 (version 1709+) Microsoft-Windows-Partition/Diagnostic.evtx EventID: 1006 parser

Win 10 Microsoft-Windows-Kernel-PnP/Configuration.evtx parser

Win 10 Microsoft-Windows-PowerShell/Operational.evtx EventIDs: 24577,40961, 40962 parser

  • Win 10 Microsoft-Windows-PowerShell parser - PowerShell script to read a live or offline Microsoft-Windows-PowerShell/Operational.evtx log and list all the entries. Should also work from Win7 onwards. Curiously, Powershell script execution is not recorded - just console startups. Only Powershell ISE script execution.

    • Event ID: 40961 - PowerShell console is starting up
    • Event ID: 40962 - PowerShell console is ready for user input
    • Event ID: 40962 - Windows PowerShell ISE has started to run script XXX

Win 10 Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx parser

Win 10 Microsoft-Windows-VHDMP-Operational.evtx parser

Win 10 Security.evtx EventID: 4688 parser

Win 10 Security.evtx EventID: 4624/4634/4647 parser

Win 10 Security.evtx EventID: 4634/4647 parser

  • Win 10 Security EventID: 4634/4747 parser - PowerShell script to read a live or offline security.evtx log and list all the EventID: 4634 (An account was logged off) and EventID: 4647 (User initiated logoff) entries in a window. The main difference between “4647: User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.

Win 10 Security.evtx EventID: 4624 parser

Win 10 Security.evtx EventID: 4648 parser

Win 10/11 System.evtx EventIDs: 1,12,13,24,20,238 'Microsoft-Windows-Kernel (General & Boot)' parser

Win 10 Security.evtx EventID: 4616 & System.evtx EventID: 1 parser

  • Win 10 Security EventID: 4616 & System EventID: 1 parser - PowerShell script to read both security.evtx and system.evtx logs from a live or offline Win 10 PC, and list all the EventID:1 and EventID: 4616 entries (The system time was changed) in a window. Selected rows are saved in a comma separated file (csv).

    The script (needs to be executed from an Administrator console).

    • Event Providers (type the following in a powershell prompt to see the event template):
      • "Microsoft-Windows-Kernel-General" (ID: 1)
        (Get-WinEvent -ListProvider "Microsoft-Windows-Kernel-General").Events|Where-Object {$_.Id -eq 1}

        • Event Reason Nr#:
          1 = An application or system component changed the time
          2 = System time synchronized with the hardware clock
          3 = System time adjusted to the new time zone
      • Event Provider Task Descriptions:
        (Get-WinEvent -Listprovider 'Microsoft-Windows-Kernel-General' -ErrorAction SilentlyContinue).Tasks

        Example of the above:

      • "Microsoft-Windows-Security-Auditing" (ID: 4616)
        (Get-WinEvent -ListProvider "Microsoft-Windows-Security-Auditing").Events|Where-Object {$_.Id -eq 4616}

Win 10 Microsoft-Windows-Winlogon/Operational.evtx parser

Win 10 Security.evtx EventID: 4616 parser

Windows Security Audit Events with message schema spreadsheet from Microsoft.

eof


Note: Old Windows event IDs can be converted to new event IDs by adding 4096 to the Event ID
eg: 528 (Successful Logon) + 4096 = 4624


 - To Do:
   - [X] [List all event log *'keywords'*](keywords.md)
   - [X] [List all eventlog-generated *'keywords'*](keywords2.md)
   - [X] List all [OpCodes](OpCodes.md) 
   - [X] List all [Task Categories](https://github.com/kacos2000/Win10/blob/master/EventLogs/Listprovider_Task_Categories.csv) 
   - [X] Parse EventID 4616
   - [X] Parse EventID 4624/4634/4647 together 
   - [X] Parse EventIDs 4624/4528/4540 (Audit Logon = Success & Failure)
   - [X] Parse EventIDs 4634/4647 (An account was logged off/User initiated logoff)
   - [X] Parse Microsoft-Windows-Winlogon/Operational.evtx
   - [X] Check / Parse EventID 4625
   - [X] Check / Parse EventID 4648
   - [ ] Check / Parse EventIDs 4663/4567 (Audit File	System = Success, (Audit Registry = Success ))
   - [ ] Check / Parse EventID 4675
   - [X] Check / Parse EventID 4688 (Audit Process Creation =	Success)
   - [ ] Check / Parse EventID [4720](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)): A user account was created
   - [ ] Check / Parse EventID [4726](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726)): A user account was deleted
   - [ ] Check / Parse EventIDs 5140/5560 (Audit File	Share	=	Success )
   - [ ] Check / Parse EventID 5156 (Audit Filtering Platform Connection = Success)
   - [ ] Check / Parse EventIDs 7045/7040 
   - [ ] ~~Correlate entries in EventIDs 4616, 4624, 4688 etc~~
   - [X] [Parse EventLog Microsoft-Windows-PushNotification-Platform/Operational.evtx](https://github.com/kacos2000/Win10/blob/master/Notifications/wpn.ps1)
   - [X] Parse Microsoft-Windows-Kernel-PnP/Configuration.evtx      
   - [X] Parse Microsoft-Windows-VolumeSnapshot-Driver/Operational.evtx
   - [X] Parse Microsoft-Windows-VHDMP-Operational.evtx       
   - [X] Parse Microsoft-Windows-PowerShell/Operational.evtx
   - [X] Check /Parse EventID 1006 of Microsoft-Windows-Partition/Diagnostic.evtx [(USB Device Tracking ..)](https://df-stream.com/2018/07/partition-diagnostic-event-log-and-usb-device-tracking-p2/)