{"id":5918,"date":"2019-02-09T01:30:27","date_gmt":"2019-02-09T01:30:27","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5918"},"modified":"2019-02-09T01:33:45","modified_gmt":"2019-02-09T01:33:45","slug":"event-logs","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/02\/09\/event-logs\/","title":{"rendered":"Event Logs++"},"content":{"rendered":"\n<p>Inspired by <a href=\"https:\/\/twitter.com\/SBousseaden\">Samir&#8217;s<\/a> <a href=\"https:\/\/twitter.com\/SBousseaden\/status\/1087290113904791553\">findings<\/a> about &#8220;<em>programs running from Run\/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core\/Operational EID 9707\/9708<\/em>&#8220;, I decided to go through all the win10 Event Logs on my test box. <\/p>\n\n\n\n<p>Just causally browsing through these I was able to quickly find a number of interesting (DFIR-wise) logs that I was not aware of. I am pretty sure many researchers did that before, but I thought it will be an interesting exercise anyway, given (at least in my experience) there is a significant difference between logs available on different systems&#8230;<\/p>\n\n\n\n<p>Before we continue, let me repeat what I <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1092072936230539264\">said<\/a> on Twitter &#8211; you should follow Samir &#8211; he has some great Threat Hunting examples in his Twitter feed!<\/p>\n\n\n\n<p>All the logs listed below are located under: Applications and Services Logs\\Microsoft\\Windows. It&#8217;s obviously far from a complete list, but if you never looked at these, perhaps this post will motivate you to poke around&#8230;<\/p>\n\n\n\n<ul><li>Alternative way of tracking system date\/time changes. <ul><li>DateTimeControlPanel\\Operational <ul><li>e.g. <em>The system time was set successfully with the following parameters: wYear: 2015, wMonth: 6, wDayOfWeek: 1, wDay: 22, wHour: 12, wMinute: 54, wSecond: 4, wMilliseconds: 0.<\/em><\/li><\/ul><\/li><li>Time-Service\\Operational<\/li><\/ul><\/li><li>Program\/App Execution<ul><li>Application-Experience\\&lt;various&gt;<\/li><li>CodeIntegrity\\Operational<\/li><li>App* e.g.<ul><li>AppModel-Runtime\\Admin<\/li><li>AppReadiness\\Operational<\/li><\/ul><\/li><li>Win32k\\Operational<\/li><\/ul><\/li><li>DHCP changes<ul><li>Dhcp-Client\\Microsoft-Windows-DHCP Client Events\\Admin<\/li><li>DHCPv6-Client\\Microsoft-Windows-DHCPv6 Client Events\\Admin<\/li><\/ul><\/li><li>Various diagnostic logs that may point to existing files on the system that in turn may contain references to interesting artifacts<ul><li>Diagnostics-*<\/li><\/ul><\/li><li>References to USB devices<ul><li>DriverFrameworks-UserMode\\Operational<\/li><\/ul><\/li><li>References to modifications of Regional Settings\/Languages <ul><li>Internationl\\Operational<ul><li>e.g. <em>Process number 3056 (C:\\Windows\\system32\\rundll32.exe) called <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/intl\/table-of-geographical-locations\">SetUserGeoID(104)<\/a> successfully.<\/em><\/li><\/ul><\/li><li>International-RegionalOptionsControlPanel\\Operational<ul><li>e.g. <em>The user changed their location preference (GeoID) to 104.<\/em><\/li><\/ul><\/li><\/ul><\/li><li>References to Kernel Event Tracing<ul><li>Kernel-EventTracing\\Admin<\/li><\/ul><\/li><li>History of Network profiles<ul><li>NetworkProfile\\Operational<\/li><\/ul><\/li><li>History of issues with network gateway<ul><li>NlaSvc\\Operational<\/li><\/ul><\/li><li>User logon events are listed here<ul><li>OfflineFiles\\Operational<\/li><li>User Profile Service\\Operational<\/li><\/ul><\/li><li>Changes of the default printer<ul><li>PrintService\\Admin<\/li><\/ul><\/li><li>Terminal services logons<ul><li>TerminalServices-ClientActiveXCore\\Microsoft-Windows-TerminalServices-RDPClient\/Operational<\/li><li>TerminalServices-LocalSessionManager\\Operational<\/li><\/ul><\/li><li>LiveID-related logs<ul><li>LiveId\\Operational<\/li><\/ul><\/li><li>Security Mitigations (not sure what it is, but seems to be detecting dynamic code)<ul><li>Security-Mitigations\\Operational<\/li><\/ul><\/li><li>Lots of Shell-related activities<ul><li>Shell-Core\\*<\/li><\/ul><\/li><li>SMB logs<ul><li>SMBClient\\*<\/li><li>SMBServer\\*<\/li><\/ul><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Inspired by Samir&#8217;s findings about &#8220;programs running from Run\/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core\/Operational EID 9707\/9708&#8220;, I decided to go through all the win10 Event Logs on my test box. Just causally browsing through these I was able to &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/02\/09\/event-logs\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5918"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5918"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5918\/revisions"}],"predecessor-version":[{"id":5923,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5918\/revisions\/5923"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}