Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - Authentication - Destination host | Page | Destination host of a local or remote access. Main events: Event ID 4624: "An account was successfully logged on". Event ID 4625: "An account failed to log on". Event ID 4672: "Special privileges assigned to new logon". |
Channel: Security. Events: 4624, 4625, 4672, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378. |
| ETW - Network shares activity and access | Page | For access and operations on network shares configured on the local system, and access to files and folders hosted on network shares. By default no events are generated, as network share auditing requires "Audit File Share" (share access and lifecycle) and / or "Audit Detailed File Share" (hosted files and folders access) to be enabled. Enabling network share auditing may however generate an overwhelming amount of events. Main events: Channel: Security. Event ID 5140: "A network share object was accessed". Event ID 5145: "A network share object was checked to see whether client can be granted desired access". |
Channel: Security. Events: 5140, 5142, 5143, 5144, 5145. |
| ETW - PowerShell remoting - Destination host | Page | Destination host of a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 91: "Creating WSMan shell on server with ResourceUri: <X>". |
Channels: Microsoft-Windows-Windows Remote Management/Operational. Event: 91. Windows PowerShell. Events: 400, 403, 600. With the HostName field set to "ServerRemoteHost". |
| ETW - Remote Desktop - Destination host | Page | Destination host of a Remote Desktop access. Main events: Channel: Security. Event ID 4624: "An account was successfully logged on", with LogonType 10. Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event ID 1149: "Remote Desktop Services: User authentication succeeded". Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Event ID 21: "Remote Desktop Services: Session logon succeeded". Event ID 23: "Remote Desktop Services: Session logoff succeeded". Event ID 25: "Remote Desktop Services: Session reconnection succeeded". |
Channels: Security. Event: 4624 (LogonType 10). Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event: 1149. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Events: 21, 22, 23, 25. Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational. Events: 131. |
| ETW - Windows Scheduled Tasks | Page | For local Windows Scheduled Tasks creation and operations. Main events: Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Event ID 106: "User "<ACCOUNT>" registered Task Scheduler task "\<TASK_NAME>"". Event ID 140: "User "<ACCOUNT>" updated Task Scheduler task "<TASK_NAME>"". Event ID 200: "Task Scheduler launched action "<EXECUTABLE>" in instance "<INSTANCE_GUID>" of task "<TASK_NAME>"". Channel: Security (events not enabled by default). Event ID 4698: "A scheduled task was created". Event ID 4702: "A scheduled task was updated". |
Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default). Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201. Channel: Security (events not enabled by default). Events: 4698, 4699, 4700, 4701, 4702. |
| ETW - Windows Services | Page | For local Windows services creation and operations. Main events: Channel: System. Event ID 7045: "A service was installed in the system". Event ID 7036: "The <SERVICE_NAME> service entered the <running/stopped> state". Channel: Security. Event ID 4697: "A service was installed in the system" (not enabled by default). |
Channel: System. Events: 7045, 7036, 7035, 7000, 7023, 7031, 7034, 7040, 7030. Channel: Security. Event: 4697. |
| RDP - Processes | Page | The following processes are related to RDP activity: - mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:". - rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established. - TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure. |
|
| Registry - Scheduled tasks (Taskcache) | Page | Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs. A scheduled task can be created through direct manipulation of the registry in order to avoid the generation of task creation ETW events. Information of interest, for each task under its associated "Taskcache\Tasks\<TASK_GUID>" and "Taskcache\Tree\<TASK_NAME>" subkeys: task name and file path, lifecycle timestamps (created on, last start, and last stop), and trigger(s) and action(s). The lifecycle timestamps, trigger(s), and action(s) are in binary, non human readable format. |
File: <SYSTEMROOT>\System32\config\SOFTWARE Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\<TASK_GUID> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\<TASK_NAME> |
| Registry - Services | Page | The Services registry key hold the configuration information of the installed Windows services. Information of interest, for each service: service name and display name, image or DLL path, service type, service start mode, and eventual Windows privileges required. The timestamp of a service creation, or last configuration update, can be deduced from the last write timestamp of its registry key. |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME> |
| User Access Logging / SUM | Page | Introduced in Windows Server 2012 and enabled by default, User Access Logging (UAL) is a feature that consolidates data on user access to Windows Server roles (such as "Active Directory Domain Services" on Domain Controllers). UAL store data for the 2 years. Information of interest: - Accessed Windows Server role (such as ADDS, CIFS, ADCS, etc.) - The client domain and username. The client IPv4 or IPv6 address. - First, last, and daily access timestamps. - Total number of access. As machine accounts of domain-joined systems also authenticate to ADDS, UAL of Domain Controllers can be used to map hostnames with past IP addresses. |
Files under <SYSTEMROOT>\System32\Logfiles\SUM\ folder: Current.mdb (data for the last 24-hours). Up to three "<GUID>.mdb" files (current year and history up to 2 years). Systemidentity.mdb (mapping on roles GUIDs and names). |
| WMI - Processes | Page | The following processes are related to WMI activity: - wmic.exe: client command line utility to interact with WMI (locally or on a remote computer). The PowerShell Invoke-WmiMethod cmdlet can be used as an alternative to wmic. - WmiPrvSE.exe: WMI Provider Host program that is executed to run WMI commands. If a program is executed through WMI, it will be spawned as a child of a wmiprvse.exe process. |
View on GitHub