(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .

Here is of the most useful events for Forensics/Incident response:

Event ID

Description

Log Name

4624

Successful Logon

Security

4625

Failed Login

Security

4776

Successful /Failed Account Authentication

Security

4720

A user account was created

Security

4732

A member was added to a

security-enabled local group

Security

4728

A member was added to a security-enabled global group

Security

7030

Service Creation Errors

System

7045

Service Creation

System

One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon font-family: ">Similar to logon type 7)

In the next diary I would show some examples how to use PowerShell to searchWindows Events of a compromised system

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status