Event Logs++

February 9, 2019 in Forensic Analysis

Inspired by Samir’s findings about “programs running from Run/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core/Operational EID 9707/9708“, I decided to go through all the win10 Event Logs on my test box.

Just causally browsing through these I was able to quickly find a number of interesting (DFIR-wise) logs that I was not aware of. I am pretty sure many researchers did that before, but I thought it will be an interesting exercise anyway, given (at least in my experience) there is a significant difference between logs available on different systems…

Before we continue, let me repeat what I said on Twitter – you should follow Samir – he has some great Threat Hunting examples in his Twitter feed!

All the logs listed below are located under: Applications and Services Logs\Microsoft\Windows. It’s obviously far from a complete list, but if you never looked at these, perhaps this post will motivate you to poke around…

  • Alternative way of tracking system date/time changes.
    • DateTimeControlPanel\Operational
      • e.g. The system time was set successfully with the following parameters: wYear: 2015, wMonth: 6, wDayOfWeek: 1, wDay: 22, wHour: 12, wMinute: 54, wSecond: 4, wMilliseconds: 0.
    • Time-Service\Operational
  • Program/App Execution
    • Application-Experience\<various>
    • CodeIntegrity\Operational
    • App* e.g.
      • AppModel-Runtime\Admin
      • AppReadiness\Operational
    • Win32k\Operational
  • DHCP changes
    • Dhcp-Client\Microsoft-Windows-DHCP Client Events\Admin
    • DHCPv6-Client\Microsoft-Windows-DHCPv6 Client Events\Admin
  • Various diagnostic logs that may point to existing files on the system that in turn may contain references to interesting artifacts
    • Diagnostics-*
  • References to USB devices
    • DriverFrameworks-UserMode\Operational
  • References to modifications of Regional Settings/Languages
    • Internationl\Operational
      • e.g. Process number 3056 (C:\Windows\system32\rundll32.exe) called SetUserGeoID(104) successfully.
    • International-RegionalOptionsControlPanel\Operational
      • e.g. The user changed their location preference (GeoID) to 104.
  • References to Kernel Event Tracing
    • Kernel-EventTracing\Admin
  • History of Network profiles
    • NetworkProfile\Operational
  • History of issues with network gateway
    • NlaSvc\Operational
  • User logon events are listed here
    • OfflineFiles\Operational
    • User Profile Service\Operational
  • Changes of the default printer
    • PrintService\Admin
  • Terminal services logons
    • TerminalServices-ClientActiveXCore\Microsoft-Windows-TerminalServices-RDPClient/Operational
    • TerminalServices-LocalSessionManager\Operational
  • LiveID-related logs
    • LiveId\Operational
  • Security Mitigations (not sure what it is, but seems to be detecting dynamic code)
    • Security-Mitigations\Operational
  • Lots of Shell-related activities
    • Shell-Core\*
  • SMB logs
    • SMBClient\*
    • SMBServer\*

Comments are closed.