Automatically generated based on tag:

ETW - Registry Auto-Start Extensibility Points Page Events are generated for tasks executed through the Run and RunOnce registry keys. Additionally, events can be generated for modification of registry keys, but requires non-default audit settings and the configuration of SACL on the registry keys to audit.

Main events:

Channel: Microsoft-Windows-Shell-Core/Operational.
Event ID 9707: "Started execution of command <COMMAND>".
Event ID 9708: "Finished execution of command <COMMAND> (PID <PROCESS_ID>)".

Channel: Security.
Event ID 4657: "A registry value was modified".
Requires non-default audit settings and the configuration of SACL on the registy keys to audit.

Events: 9705, 9707, 9708.

Event: 4657.
ETW - Users and security groups operations Page For user accounts and security groups operations, such as a user object creation or modification, and a security group membership update.

Main events:

Channel: Security.
Event ID 4720: "A user account was created".
Event ID 4724: "An attempt was made to reset an accounts password".
Event ID 4738: "A user account was changed".
Event ID 4732: "A member was added to a security-enabled local group".
Channel: Security.
Events: 4720, 4722, 4723, 4724, 4731, 4732, 4733, 4738.
ETW - Windows Scheduled Tasks Page For local Windows Scheduled Tasks creation and operations.

Main events:

Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default).
Event ID 106: "User "<ACCOUNT>" registered Task Scheduler task "\<TASK_NAME>"".
Event ID 140: "User "<ACCOUNT>" updated Task Scheduler task "<TASK_NAME>"".
Event ID 200: "Task Scheduler launched action "<EXECUTABLE>" in instance "<INSTANCE_GUID>" of task "<TASK_NAME>"".

Channel: Security (events not enabled by default).
Event ID 4698: "A scheduled task was created".
Event ID 4702: "A scheduled task was updated".
Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default).
Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201.

Channel: Security (events not enabled by default).
Events: 4698, 4699, 4700, 4701, 4702.
ETW - Windows Services Page For local Windows services creation and operations.

Main events:

Channel: System.
Event ID 7045: "A service was installed in the system".
Event ID 7036: "The <SERVICE_NAME> service entered the <running/stopped> state".

Channel: Security.
Event ID 4697: "A service was installed in the system" (not enabled by default).
Channel: System.
Events: 7045, 7036, 7035, 7000, 7023, 7031, 7034, 7040, 7030.

Channel: Security.
Event: 4697.
ETW - WMI events Page For WMI activity.

Tracking process execution is the only way to natively detect lateral movement leveraging WMI. With out "Audit process tracking" enabled to log process creation event 4688 (or a dedicated product tracking process creation, such as Sysmon or an EDR), lateral movement over WMI cannot be reliably investigated.

Main events:

Channel: Security.
Event ID 4688: "A new process has been created", to track WMI process execution (wmic.exe and WmiPrvSE.exe notably).

Channel: Microsoft-Windows-WMI-Activity/Operational.
Event ID 5860 for temporary WMI Event subscription creation.
Event ID 5861 for permanent WMI Event subscription creation.

Event: 4688.

Events: 5857, 5858, 5859, 5860, 5861.
Registry - Auto-Start Extensibility Points Page A number of registry keys, known as Auto-Start Extensibility Points (ASEP) registry keys, are run whenever the system is booted or a specific user logs in.

The ASEP keys under HKLM are run every time the system is started, while the ASEP keys under HKCU are only executed when the user associated with the keys logs onto the system.

While a subset of ASEP registry keys are leveraged by threat actors, hundreds of keys may be used to execute a program at boot or following a user logging.



HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon



Registry - Scheduled tasks (Taskcache) Page Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs.

A scheduled task can be created through direct manipulation of the registry in order to avoid the generation of task creation ETW events.

Information of interest, for each task under its associated "Taskcache\Tasks\<TASK_GUID>" and "Taskcache\Tree\<TASK_NAME>" subkeys: task name and file path, lifecycle timestamps (created on, last start, and last stop), and trigger(s) and action(s).

The lifecycle timestamps, trigger(s), and action(s) are in binary, non human readable format.
File: <SYSTEMROOT>\System32\config\SOFTWARE

Registry keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\<TASK_GUID>
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\<TASK_NAME>
Registry - Services Page The Services registry key hold the configuration information of the installed Windows services.

Information of interest, for each service: service name and display name, image or DLL path, service type, service start mode, and eventual Windows privileges required.

The timestamp of a service creation, or last configuration update, can be deduced from the last write timestamp of its registry key.
File: <SYSTEMROOT>\System32\config\SYSTEM

Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>
WMI - Event Subscription Page WMI Event Subscriptions can be used to maintain persistence on a Windows system, with permanent event subscriptions persisting across system reboots.

Permanent event subscriptions are composed of: an "event filter" (event that will trigger the consumer), an "event consumer" (that will perform an action, such as executing a command), and a "filter to consumer binding".

Event subscriptions are written to disk in the "OBJECTS.DATA" file that notably contains the event filters and event consumers.
WMI repository files under <SYSTEMROOT>\System32\wbem\Repository\:

View on GitHub