Event Logs++
February 9, 2019 in Forensic Analysis
Inspired by Samir’s findings about “programs running from Run/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core/Operational EID 9707/9708“, I decided to go through all the win10 Event Logs on my test box.
Just causally browsing through these I was able to quickly find a number of interesting (DFIR-wise) logs that I was not aware of. I am pretty sure many researchers did that before, but I thought it will be an interesting exercise anyway, given (at least in my experience) there is a significant difference between logs available on different systems…
Before we continue, let me repeat what I said on Twitter – you should follow Samir – he has some great Threat Hunting examples in his Twitter feed!
All the logs listed below are located under: Applications and Services Logs\Microsoft\Windows. It’s obviously far from a complete list, but if you never looked at these, perhaps this post will motivate you to poke around…
- Alternative way of tracking system date/time changes.
- DateTimeControlPanel\Operational
- e.g. The system time was set successfully with the following parameters: wYear: 2015, wMonth: 6, wDayOfWeek: 1, wDay: 22, wHour: 12, wMinute: 54, wSecond: 4, wMilliseconds: 0.
- Time-Service\Operational
- DateTimeControlPanel\Operational
- Program/App Execution
- Application-Experience\<various>
- CodeIntegrity\Operational
- App* e.g.
- AppModel-Runtime\Admin
- AppReadiness\Operational
- Win32k\Operational
- DHCP changes
- Dhcp-Client\Microsoft-Windows-DHCP Client Events\Admin
- DHCPv6-Client\Microsoft-Windows-DHCPv6 Client Events\Admin
- Various diagnostic logs that may point to existing files on the system that in turn may contain references to interesting artifacts
- Diagnostics-*
- References to USB devices
- DriverFrameworks-UserMode\Operational
- References to modifications of Regional Settings/Languages
- Internationl\Operational
- e.g. Process number 3056 (C:\Windows\system32\rundll32.exe) called SetUserGeoID(104) successfully.
- International-RegionalOptionsControlPanel\Operational
- e.g. The user changed their location preference (GeoID) to 104.
- Internationl\Operational
- References to Kernel Event Tracing
- Kernel-EventTracing\Admin
- History of Network profiles
- NetworkProfile\Operational
- History of issues with network gateway
- NlaSvc\Operational
- User logon events are listed here
- OfflineFiles\Operational
- User Profile Service\Operational
- Changes of the default printer
- PrintService\Admin
- Terminal services logons
- TerminalServices-ClientActiveXCore\Microsoft-Windows-TerminalServices-RDPClient/Operational
- TerminalServices-LocalSessionManager\Operational
- LiveID-related logs
- LiveId\Operational
- Security Mitigations (not sure what it is, but seems to be detecting dynamic code)
- Security-Mitigations\Operational
- Lots of Shell-related activities
- Shell-Core\*
- SMB logs
- SMBClient\*
- SMBServer\*
Comments are closed.