Windows Event Logs
Running it from the command line
requesting the help menu
quering the application logs and returning
3 results, descending order and text format
Investigating sath logs with
Powershell
Listing log providers with ‘powershell' as a
keyword
Listing events related to windows
powershell
listing application logs from WLMS
provider and generated at the given time
listing security logs samas target
usrname and event id equals to 4724
isting security logs with event id equals to
400listing logs from log file with event id = 104
and format as list displaying all events
properties
listing logs from log file with event i
4104 with string ‘ScriptBlockText' and
format as list displaying all events
properties
listing security logs with sam as target
usrname and event id equals to 4799
aa
Investigating Logs with Sysmon and
Powershell
Hunting for Metasploit events
Filtering for Network connections
Filtering for Network connections in format
list with maximum quantity of one
Filtering for process access eventsFiltering for Alternate Data Streams events
Filtering for process hollowing events
Sysmon Events
Event ID 1: Process Creation
Event ID 3: Netwof
Event ID 7: Image Loaded
Event ID 8: CreateRemoteThread
Event ID 1: File Created
Event ID 12 /13 / 14: Registry Event
Event ID 15: FlleCreateStreamHash
Event ID 22: DNS Event