In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .
Here is of the most useful events for Forensics/Incident response:
|
Event ID |
Description |
Log Name |
|
4624 |
Successful Logon |
Security |
|
4625 |
Failed Login |
Security |
|
4776 |
Successful /Failed Account Authentication |
Security |
|
4720 |
A user account was created |
Security |
|
4732 |
A member was added to a security-enabled local group |
Security |
|
4728 |
A member was added to a security-enabled global group |
Security |
|
7030 |
Service Creation Errors |
System |
|
7045 |
Service Creation |
System |
One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon font-family: ">Similar to logon type 7)
In the next diary I would show some examples how to use PowerShell to searchWindows Events of a compromised system
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.