Please enable JavaScript.
Coggle requires JavaScript to display documents.
WinEvent Logs - Coggle Diagram
WinEvent Logs
Schedule Task
MS-Windows-Task Scheduler/Operational
106 - Task Created
200/201 - Task Executed /Completed
Security.evtx
4624 (3) Remote Task
4700/4701 - Task Enabled/Disabled
Registration Files
\Windows\System32\Tasks
Powershell
MS-Windows-PowerShell/Operational
4103 (pipeline)
4104 - script block
4105/4106
Windows Powershell.evtx
400/800
Powershell v5
Module Logging
Script Blocks
PowerShell Transcription
PSReadline ConsoleHost_history
Security.evtx
Audit policy
Object Access
(Network Shares)
5140
5145
Logon Events
NTLM
4776
Kerberos
4768
4769
4771
Logon Error Codes
4776 (NTLM)
Pass-the-Hash
4776 -> 4624 (3)
4625 (Failed Logon)
4771 (Kerberos
Privilege Use
Directory Service
Process Tracking
Account Mgmt
Scenario
Acct & Group Enumeration
4790
4799
Attack tools
BloodHound
PowerView
System Events
Account Logon
Account Usage
Event ID
4624
Successful Logon
4625
Failed Logon
4634/4647
Acct Logoff
4648
Explicit Account
4672
Administrator
4720
Acct Creation
Logon Type Code
2,3,4,5
7,8,9,10,11
12,13
Logon Session
Logon ID
Buil-in Account
DWM
UMFD
<hostname>$ [Domain-joined acct]
ANONYMOUS LOGON
NETWORK SERVICE
SYSTEM
LOCAL SERVICE
Scenarios
Brute-Force
EID 4625
Tracking Admin Acct
4624 -> 4627 -> 4672
Account Creation
4720 -> 4722
RDP
4778
4779
4624 (10)
System
Services (SCM)
System.evtx
7045 - A new service was installed
Security.evtx
4697 - A new service was installed
WMI
WMI-ActivityOperational
5858
5857-5861 Record Filter/consumer activity
5861 new permanent event consumer creation
Event Log Cleared
Logs
Security- 1102
System 104
Sysmon
MS-Windows-Sysmon/Operational