Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - Authentication - Active Directory Domain Services (Domain Controllers) | Page | For authentication attempts from a source host to an Active Directory domain-joined destination host (which is not a Domain Controller). Main events: Event ID 4624: "An account was successfully logged on", with LogonType 3 (only for a remote interactive logon on a domain-joined destination host). Event ID 4776 "The domain controller attempted to validate the credentials for an account", for NTLM authentication. Event 4768: "A Kerberos authentication ticket (TGT) was requested" and 4769: "A Kerberos service ticket was requested", for Kerberos tickets request and usage. Event 4771: "Kerberos pre-authentication failed", for authentication failures over Kerberos. |
Channel: Security. Events: 4776, 4768, 4769, 4771, 4624, 4625. |
| ETW - Authentication - Destination host | Page | Destination host of a local or remote access. Main events: Event ID 4624: "An account was successfully logged on". Event ID 4625: "An account failed to log on". Event ID 4672: "Special privileges assigned to new logon". |
Channel: Security. Events: 4624, 4625, 4672, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378. |
| ETW - Authentication - Source host | Page | Source host of a remote access. Main events: Event ID 4648: "A logon was attempted using explicit credentials". Event ID 4624: "An account was successfully logged on", with LogonType 9. |
Channel: Security. Events: 4648, 4624 (LogonType 9). |
| ETW - Network shares activity and access | Page | For access and operations on network shares configured on the local system, and access to files and folders hosted on network shares. By default no events are generated, as network share auditing requires "Audit File Share" (share access and lifecycle) and / or "Audit Detailed File Share" (hosted files and folders access) to be enabled. Enabling network share auditing may however generate an overwhelming amount of events. Main events: Channel: Security. Event ID 5140: "A network share object was accessed". Event ID 5145: "A network share object was checked to see whether client can be granted desired access". |
Channel: Security. Events: 5140, 5142, 5143, 5144, 5145. |
| ETW - PowerShell remoting - Destination host | Page | Destination host of a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 91: "Creating WSMan shell on server with ResourceUri: <X>". |
Channels: Microsoft-Windows-Windows Remote Management/Operational. Event: 91. Windows PowerShell. Events: 400, 403, 600. With the HostName field set to "ServerRemoteHost". |
| ETW - PowerShell remoting - Source host | Page | Source host initiating a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 6: "Creating WSMan Session. The connection string is: <REMOTE_HOST>/wsman?PSVersion=XXX". |
Channel: Microsoft-Windows-Windows Remote Management/Operational. Events: 2, 4, 6, 8, 12, 15, 16, 30, 31, 33, 80, 162, 166. |
| ETW - Remote Desktop - Destination host | Page | Destination host of a Remote Desktop access. Main events: Channel: Security. Event ID 4624: "An account was successfully logged on", with LogonType 10. Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event ID 1149: "Remote Desktop Services: User authentication succeeded". Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Event ID 21: "Remote Desktop Services: Session logon succeeded". Event ID 23: "Remote Desktop Services: Session logoff succeeded". Event ID 25: "Remote Desktop Services: Session reconnection succeeded". |
Channels: Security. Event: 4624 (LogonType 10). Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event: 1149. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Events: 21, 22, 23, 25. Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational. Events: 131. |
| ETW - Remote Desktop - Remote Desktop Gateway | Page | For Remote Desktop access through a Remote Desktop Gateway (Windows server role that implements Remote Desktop Protocol (RDP) over HTTPS. Main events: Channel: Microsoft-Windows-TerminalServices-Gateway/Operational. Event ID 200: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy [...] to access the TS Gateway server". Event ID 302: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>". Event 303: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>. Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds". |
Channels: Microsoft-Windows-TerminalServices-Gateway/Operational. Events: 200, 300, 302, 303, 308, 312, 313. |
| ETW - Remote Desktop - Source host | Page | Source host initiating a Remote Desktop access. Main events: Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Event ID 1024: "RDP ClientActiveX is trying to connect to the server (<HOSTNAME>)". Event ID 1102: "The client has initiated a multi-transport connection to the server <IP>". Event ID 1029: "Base64(SHA256(UserName)) is = <HASH>". |
Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Events: 1024, 1029, 1102. |
| ETW - Windows Firewall | Page | Windows Firewall activity, such as configuration changes and rules creation, modification, or deletion. Main events: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall. Event ID 2003: "A Windows Defender Firewall setting in the <Domain | Private | Public> profile has changed". Events 2004, 2071, and 2097 (depending on the Windows operating system version): "A rule has been added to the Windows Defender Firewall exception list". Events 2005 and 2099 (depending on the Windows operating system version): "A rule has been modified in the Windows Defender Firewall exception list". |
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall. Events: 2002, 2003, 2004, 2005, 2006, 2033, 2052, 2071, 2097, 2099. Channel: Security (events not enabled by default). Events: 4946, 4947, 4948, 4950. |
| ETW - Windows Scheduled Tasks | Page | For local Windows Scheduled Tasks creation and operations. Main events: Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Event ID 106: "User "<ACCOUNT>" registered Task Scheduler task "\<TASK_NAME>"". Event ID 140: "User "<ACCOUNT>" updated Task Scheduler task "<TASK_NAME>"". Event ID 200: "Task Scheduler launched action "<EXECUTABLE>" in instance "<INSTANCE_GUID>" of task "<TASK_NAME>"". Channel: Security (events not enabled by default). Event ID 4698: "A scheduled task was created". Event ID 4702: "A scheduled task was updated". |
Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201. Channel: Security (events not enabled by default). Events: 4698, 4699, 4700, 4701, 4702. |
| ETW - Windows Services | Page | For local Windows services creation and operations. Main events: Channel: System. Event ID 7045: "A service was installed in the system". Event ID 7036: "The <SERVICE_NAME> service entered the <running/stopped> state". Channel: Security. Event ID 4697: "A service was installed in the system" (not enabled by default). |
Channel: System. Events: 7045, 7036, 7035, 7000, 7023, 7031, 7034, 7040, 7030. Channel: Security. Event: 4697. |
| ETW - WMI events | Page | For WMI activity. Tracking process execution is the only way to natively detect lateral movement leveraging WMI. With out "Audit process tracking" enabled to log process creation event 4688 (or a dedicated product tracking process creation, such as Sysmon or an EDR), lateral movement over WMI cannot be reliably investigated. Main events: Channel: Security. Event ID 4688: "A new process has been created", to track WMI process execution (wmic.exe and WmiPrvSE.exe notably). Channel: Microsoft-Windows-WMI-Activity/Operational. Event ID 5860 for temporary WMI Event subscription creation. Event ID 5861 for permanent WMI Event subscription creation. |
Channels: Security. Event: 4688. Microsoft-Windows-WMI-Activity/Operational. Events: 5857, 5858, 5859, 5860, 5861. |
| RDP - Processes | Page | The following processes are related to RDP activity: - mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:". - rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established. - TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure. |
|
| RDP Bitmap Cache | Page | The RDP Bitmap Cache contains partial image captures, in the bitmap format, of the remote host screen from Remote Desktop sessions. This feature is implemented to reduce the amount of data sent by the server. Information of interest: small bitmap images, with a width of 64 pixels and a height of up to 64 pixels, that represent pieces of the content displayed in past Remote Desktop sessions of the user. Thousands of tiles may be available for a given user RDP Bitmap Cache folder. |
"bcache*.bmc" and "cache????.bin" files under the "Terminal Server Client\Cache" directory. Windows XP / Windows Server 2003: <SYSTEMDRIVE>:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\* Windows 7 and later: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Terminal Server Client\Cache\* |
| Registry - Map Network Drive MRU | Page | The Map Network Drive MRU registry key references the recently used network shares. Information of interest: UNC path of the network shares (such as "<IP | HOSTNAME>\<SHARE_NAME>"). Values are ordered in a most recently used list. The timestamp of access of the most recently access share can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat. Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU |
| Registry - MountPoints2 | Page | The MountPoints2 registry key references the currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user. Information of interest: each drive is represented by a subkey, which is named as either the volume GUID, a letter, or, for network shares "##<IP | HOSTNAME>#<SHARE_NAME>". |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat. Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 |
| Registry - PortProxy | Page | The PortProxy registry key stores the port forwards configured on the local system using the netsh built-in utility. Information of interest: the local and remote IP address:port of each port forward. |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\* IPv4 endpoint to IPv4 endpoint: v4tov4\tcp subkey. |
| Registry - Scheduled tasks (Taskcache) | Page | Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs. A scheduled task can be created through direct manipulation of the registry in order to avoid the generation of task creation ETW events. Information of interest, for each task under its associated "Taskcache\Tasks\<TASK_GUID>" and "Taskcache\Tree\<TASK_NAME>" subkeys: task name and file path, lifecycle timestamps (created on, last start, and last stop), and trigger(s) and action(s). The lifecycle timestamps, trigger(s), and action(s) are in binary, non human readable format. |
File: <SYSTEMROOT>\System32\config\SOFTWARE Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\<TASK_GUID> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\<TASK_NAME> |
| Registry - Services | Page | The Services registry key hold the configuration information of the installed Windows services. Information of interest, for each service: service name and display name, image or DLL path, service type, service start mode, and eventual Windows privileges required. The timestamp of a service creation, or last configuration update, can be deduced from the last write timestamp of its registry key. |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME> |
| Registry - Terminal Server Client\Servers | Page | The Terminal Server Client\Servers registry key tracks the remote hosts the associated user connected to using the built-in mstsc.exe Remote Desktop client. Information of interest: IP address of the remote host and eventual saved username associated with the remote host. The the last write timestamp may be an indicator of the first access to the remote host. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<IP> |
| User Access Logging / SUM | Page | Introduced in Windows Server 2012 and enabled by default, User Access Logging (UAL) is a feature that consolidates data on user access to Windows Server roles (such as "Active Directory Domain Services" on Domain Controllers). UAL store data for the 2 years. Information of interest: - Accessed Windows Server role (such as ADDS, CIFS, ADCS, etc.) - The client domain and username. The client IPv4 or IPv6 address. - First, last, and daily access timestamps. - Total number of access. As machine accounts of domain-joined systems also authenticate to ADDS, UAL of Domain Controllers can be used to map hostnames with past IP addresses. |
Files under <SYSTEMROOT>\System32\Logfiles\SUM\ folder: Current.mdb (data for the last 24-hours). Up to three "<GUID>.mdb" files (current year and history up to 2 years). Systemidentity.mdb (mapping on roles GUIDs and names). |
| WMI - Processes | Page | The following processes are related to WMI activity: - wmic.exe: client command line utility to interact with WMI (locally or on a remote computer). The PowerShell Invoke-WmiMethod cmdlet can be used as an alternative to wmic. - WmiPrvSE.exe: WMI Provider Host program that is executed to run WMI commands. If a program is executed through WMI, it will be spawned as a child of a wmiprvse.exe process. |
View on GitHub