Windows Event IDs and Others for Situational Awareness

Below is a living list of Windows event IDs and miscellaneous PowerShell snippets that may be useful for situational awareness once you are on a box.

Lock / screensaver

Workstation was locked

Get-WinEvent - Workstation locked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }

Workstation was unlocked

Get-WinEvent - Workstation unlocked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }

Screensaver invoked

Get-WinEvent - Screensaver invoked

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }

Screensaver dismissed

Get-WinEvent - Screensaver dismissed

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }

System ON / OFF

Windows is starting up

Get-WinEvent - Windows starting up

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }

System uptime

Get-WinEvent - System uptime

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }

Windows is shutting down

Get-WinEvent - Windows shutting down

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }

System has been shut down

Get-WinEvent - System has been shut down

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }

System sleep / awake

System entering sleep mode

Get-WinEvent - Sleep mode

Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }

System returning from sleep

Get-WinEvent - Return from sleep

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }

Logons

Successful logons

Get-WinEvent - Successful logons

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }

Logons with explicit credentials

Get-WinEvent - Explicit credential logons

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }

Account logoffs

Get-WinEvent - Account logoffs

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }

Access

Outbound RDP (client initiated)

Get-WinEvent - Outbound RDP (client)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap

Inbound RDP (session creation)

Get-WinEvent - Inbound RDP (LocalSessionManager)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap

Inbound RDP (RdpCoreTS)

Get-WinEvent - Inbound RDP (RdpCoreTS)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; id=131 } | select timecreated, message | ft -AutoSize -Wrap

RemoteConnectionManager (RDP reconnections / connection attempts)

Get-WinEvent - RemoteConnectionManager (1149)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; id='1149' } | ft -AutoSize -Wrap

Outbound WinRM

Get-WinEvent - WinRM outbound (6)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }

Get-WinEvent - WinRM outbound (80)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }

Inbound WinRM

Get-WinEvent - WinRM inbound (91)

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }

WMI activity related to Terminal Services

Get-WinEvent - WMI Activity (5857) filter for terminal service providers

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32\_WIN32\_TERMINALSERVICE\_Prov|CIMWin32'}

Inbound Network and Interactive Logons (custom parsing)

This collects 4624 events over a recent timeframe and filters by logon type and source.

PowerShell - Inbound Network & Interactive Logons (parsed)

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4624); starttime=(get-date).AddMinutes(-60*24*2) } | % {

    $event = New-Object psobject
    $subjectUser = $_.properties[2].value + "\" + $_.properties[1].value
    $targetUser = $_.properties[6].value + "\" + $_.properties[5].value
    $logonType = $_.properties[8].value
    $subjectComputer = $_.properties[18].value

    if ($logonType -in 3,7,8,9,10,11 -and $subjectComputer -notmatch "::1|-|^127.0.0.1") {

        switch ($logonType) {
            3 { $logonType = "Network" }
            7 { $logonType = "Screen Unlock" }
            8 { $logonType = "Network Cleartext" }
            9 { $logonType = "New Credentials" }
            10 { $logonType = "Remote Interactive" }
            11 { $logonType = "Cached Interactive" }
        }

        $event | Add-Member "Time" $_.TimeCreated
        $event | Add-Member "Subject" $subjectUser
        $event | Add-Member "LogonFrom" $subjectComputer
        $event | Add-Member "LoggedAs" $targetUser
        $event | Add-Member "Type" $logonType
        $events.Add($event) | out-null
    }

}

$events

Outbound Network Logons (custom parsing)

This parses 4648 events and filters out localhost targets.

PowerShell - Outbound Network Logons (parsed)

$events = New-Object System.Collections.ArrayList

Get-WinEvent -FilterHashtable @{ LogName='Security'; id=(4648); starttime=(get-date).AddMinutes(-60*24*2) } | % {

    $event = New-Object psobject
    $subjecUser = $_.Properties[2].Value + "\" + $_.Properties[1].Value
    $targetUser = $_.Properties[6].Value + "\" + $_.Properties[5].Value
    $targetInfo = $_.Properties[9].Value
    $process = $_.Properties[11].Value

    $event | Add-Member "Time" $_.timecreated
    $event | Add-Member "SubjectUser" $subjecUser
    $event | Add-Member "TargetUser" $targetUser
    $event | Add-Member "Target" $targetInfo
    $event | Add-Member "Process" $process

    if ($targetInfo -notmatch 'localhost') {
        $events.add($event) | out-null
    }

}

$events

Activity

Attempt to install a service

Get-WinEvent - Service installation attempted

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }

Scheduled task created

Get-WinEvent - Scheduled task created

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }

Scheduled task updated

Get-WinEvent - Scheduled task updated

Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }

Sysinternals usage?

Registry - Sysinternals usage

Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted

Security

LSASS started as a protected process

Get-WinEvent - LSASS protected process started

Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }

---

(End of content)