Get Started. It's Free
or sign up with your email address
Rocket clouds
Event Log by Mind Map: Event Log

1. Tool

1.1. Event Log Viewer

1.1.1. eventvwr.exe

1.2. registry

1.2.1. regedit.exe

1.2.1.1. HKLM\System\CurrentControlSet\Services\EventLog

1.3. Log Parser V2.2

1.3.1. http://iprize.tistory.com/665

1.4. WinProof

2. Reference

2.1. http://portable-forensics.blogspot.kr/2014/11/windows-event-log.html?m=1

2.2. http://kangmyounghun.blogspot.kr/2017/03/gephi-web-log.html?m=1

2.3. http://horae.tistory.com/entry/%EC%9C%88%EB%8F%84%EC%9A%B0-%EC%9D%B4%EB%B2%A4%ED%8A%B8-%EB%A1%9C%EA%B7%B8

2.4. http://kali-km.tistory.com/entry/Windows-Event-Log-1

2.5. http://kali-km.tistory.com/entry/Windows-Event-Log-2-%E2%80%93-%EC%A3%BC%EC%9A%94-%EC%9D%B4%EB%B2%A4%ED%8A%B8-%EB%A1%9C%EA%B7%B8

2.6. http://www.redblue.team/2015/09/spotting-adversary-with-windows-event.html

2.7. http://www.redblue.team/2015/09/spotting-adversary-with-windows-event_21.html

2.8. http://blog.plura.io/?p=4042

2.9. http://techgenix.com/logon-types/

3. Event Log Type

3.1. Type1 - *.evt

3.1.1. Windws 2000

3.1.2. Windwos 2003

3.1.3. Windows XP

3.1.4. 3자리의 이벤트 ID 사용 (ex. 104, Event Log was Cleared)

3.2. Type2 - *.evtx

3.2.1. Windows Vista

3.2.2. Windows 2008

3.2.3. Windows 7

3.2.4. 4자리의 이벤트 ID 사용 (ex. 1102, Audit Log was Cleared)

4. Meaningful Event Log ID

4.1. http://www.eventid.net

4.2. http://ultimatewindowssecurity.com

4.3. NSA's main Event Log - 16 thing

4.3.1. 1. Clearing Event Logs

4.3.1.1. Event Log was Cleared, evt ID. 104, Informational, System, Microsoft-Windows-Eventlog

4.3.1.2. Audit Log was Cleared, evt ID. 1102, Informational, Security, Microsoft-Windows-Eventlog

4.3.2. 2. Account Usage

4.3.2.1. Account Lockouts, evt ID. 4740, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.2.2. User Added to Privileged Group, evt ID. 4728, 4732, 4756, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.2.3. Security-Enabled group Modification, evt ID. 4735, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.2.4. Successful User Account Login, evt ID. 4624, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.2.5. Failed User Account Login, evt ID. 4625, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.2.6. Account Login with Explicit Credentials, evt ID. 4648, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.3. 3. Remote Desktop Logon

4.3.3.1. evt ID. 4624, Security, Information, LogonType. 10, Negotiate

4.3.3.2. evt ID. 4634, Security, Information, LogonType. 10, N/A

4.3.4. 4. Windows Defender Activities

4.3.4.1. Scan Failed, evt ID. 1005, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.2. Detected Malware, evt ID. 1006, Warning, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.3. Action on Malware Failed, evt ID. 1008, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.4. Failed to remove item from quarantine, evt ID. 1010, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.5. Failed to update signatures, evt ID. 2001, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.6. Failed to update engine, evt ID. 2003, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.7. Reverting to last known good set of signatures, evt ID. 2004, Warning, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.8. Real-Time Protection failed, evt ID. 3002, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.4.9. Unexpected Error, evt ID. 5008, Error, Microsoft-Windows-Windows Defender/Operational, Microsoft-Windows-Windows Defender

4.3.5. 5. Application Crashes

4.3.5.1. App Error, evt ID. 1000, Error, Application, Application Error

4.3.5.2. App Hang, evt ID. 1002, Error, Application, Application Hang

4.3.5.3. BSOD, evt ID. 1001, Error, System, Microsoft-Windows-WER-SystemErrorReporting

4.3.5.4. WER, evt ID. 1001, Informational, Application, Windows Error Reporting

4.3.5.5. EMET, evt ID. 1, Warning, evt ID. 2, Error, Application, EMET

4.3.6. 6. Software & Service Installation

4.3.6.1. New Kernel Filter Driver, evt ID. 6, Informational, System, Microsoft-Windows-FilterManager

4.3.6.2. New Windows Service, evt ID. 7045, Informational, System, Service Control Manager

4.3.6.3. New MSI File Installed, evt ID. 1022, 1033, Informational, Application, Msiinstaller

4.3.6.4. New Application Installation, evt ID. 903, 904, Informational, Microsoft-Windows-Application-Experience/Program-Inventory, Microsoft-Windows-Application-Experience

4.3.6.5. Updated Application, evt ID. 905, 906, Informational, Microsoft-Windows-Application-Experience/Program-Inventory, Microsoft-Windows-Application-Experience

4.3.6.6. Removed Application, evt ID. 907, 908, Informational, Microsoft-Windows-Application-Experience/Program-Inventory, Microsoft-Windows-Application-Experience

4.3.6.7. Summary of Software Activities, evt ID. 800, Informational, Microsoft-Windows-Application-Experience/Program-Inventory, Microsoft-Windows-Application-Experience

4.3.6.8. Update Packages Installed, evt ID. 2, Informational, Setup, Microsoft-Windows-Servicing

4.3.6.9. Windows Update Installed, evt ID. 19, Informational, System, Microsoft-Windows-WindowsUpdateClient

4.3.7. 7. External Media Detection

4.3.7.1. New Device Information, evt ID. 43, Informational, Microsoft-Windows-USB-USBHUB3-Analytic, Microsoft-Windows-USB-USBHUB3

4.3.7.2. New Mass Storage Installation, evt ID. 400, Informational, Microsoft-Windows-Kernel-PnP/Device Configuration, Microsoft-Windows-Kernel-PnP

4.3.7.3. New Mass Storage Installation, evt ID. 410, Informational, Microsoft-Windows-Kernel-PnP/Device Configuration, Microsoft-Windows-Kernel-PnP

4.3.8. 8. Pass the Hash Detection

4.3.8.1. evt ID. 4624, Security, Information, LogonType. 3, NTLM

4.3.8.2. evt ID. 4625, Security, Information, LogonType. 3, NTLM

4.3.9. 9. AppLocker

4.3.9.1. AppLocker Block, evt ID. 8003, Error, 8004, Warning, Microsoft-Windows-AppLocker/EXE and DLL, Microsoft-Windows-AppLocker

4.3.9.2. AppLocker Warning, evt ID. 8006, Error, 8007, Warning, Microsoft-Windows-AppLocker/MSI and Script, Microsoft-Windows-AppLocker

4.3.9.3. SRP Block, evt ID. 865, 866, 867, 868, 882, Warning, Application, Microsoft-Windows-SoftwareRestrictionPolices

4.3.10. 10. System or Service Failures

4.3.10.1. Windows Serevice Fails or Crashes, evt ID. 7022, 7023, 7024, 7026, 7031, 7032, 7034, Error, System, Service Control Manager

4.3.11. 11. Windows Update Errors

4.3.11.1. Windows Update Failed, evt ID. 20, 24, 25, 31, 34, 35, Error, Microsoft-Windows-WindowsUpdateClient/Operational

4.3.11.2. Hotpatching Failed, evt ID. 1009, Informational, Setup, Microsoft-Windows-Servicing

4.3.12. 12. Kernel Driver Signing

4.3.12.1. Detected an invalid page hash of an image file, evt ID. 6281, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.12.2. Detected an invalid image hash of a file, evt ID. 5038, Informational, Security, Microsoft-Windows-Security-Auditing

4.3.12.3. Code Integrity Check, evt ID. 3001, 3002, 3003, 3004, 3010, 3023, Warning, Error, Microsoft-Windows-CodeIntegrity/Operational

4.3.12.4. Failed Kernel Driver Loading, evt ID. 219, Warning, System, Microsoft-Windows-Kernel-PnP

4.3.13. 13. Group Policy Errors

4.3.13.1. Internal Error, evt ID. 1125, Error, System, Microsoft-Windows-GroupPolicy

4.3.13.2. Generic Internal Error, evt ID. 1127, Error, System, Microsoft-Windows-GroupPolicy

4.3.13.3. Group Policy Application Failed due to Connectivity, evt ID. 1129, Error, System, Microsoft-Windows-GroupPolicy

4.3.14. 14. Mobile Device Activities

4.3.14.1. Network Connection and Disconnection Status (Wired and Wireless), evt ID. 10000, 10001, Informational, Microsoft-Windows-NetworkProfile/Operational, Microsoft-Windows-NetworkProfile

4.3.14.2. Starting a Wireless connection, evt ID. 8000, 8011, Informational, Microsoft-Windows-WLAN-AutoConfig/Operational, Microsoft-Windows-WLAN-AutoConfig

4.3.14.3. Successfully connected to Wireless connection, evt ID. 8001, Informational, Microsoft-Windows-WLAN-AutoConfig/Operational, Microsoft-Windows-WLAN-AutoConfig

4.3.14.4. Disconnect from Wireless connection, evt ID. 8003, Informational, Microsoft-Windows-WLAN-AutoConfig/Operational, Microsoft-Windows-WLAN-AutoConfig

4.3.14.5. Wireless Association Status, evt ID. 11000, 11001, 11002, Informational, Error, Microsoft-Windows-WLAN-AutoConfig/Operational, Microsoft-Windows-WLAN-AutoConfig

4.3.14.6. Wireless Security Started Stopped Successful or Failed, evt ID. 11004, 11005, 11006, 11010, Informational, Error, Microsoft-Windows-WLAN-AutoConfig/Operational, Microsoft-Windows-WLAN-AutoConfig

4.3.15. 15. Printing Services

4.3.15.1. Printing Document, evt ID. 307, Informational, Microsoft-Windows-PrintService/Operational, Microsoft-Windows-PrintService

4.3.16. 16. Windows Firewall

4.3.16.1. Firewall Rule Add, evt ID. 2004, Informational, Microsoft-Windows-Windows Firewall With Advanced Security/Firewall, Microsoft-Windows-Windows Firewall With Advanced Security

4.3.16.2. Firewall Rule Change, evt ID. 2005, Informational, Microsoft-Windows-Windows Firewall With Advanced Security/Firewall, Microsoft-Windows-Windows Firewall With Advanced Security

4.3.16.3. Firewall Rules Deleted, evt ID. 2006, 2033, Informational, Microsoft-Windows-Windows Firewall With Advanced Security/Firewall, Microsoft-Windows-Windows Firewall With Advanced Security

4.3.16.4. Firewall Failed to load Group Policy, evt ID. 2009, Error, Microsoft-Windows-Windows Firewall With Advanced Security/Firewall, Microsoft-Windows-Windows Firewall With Advanced Security

4.4. 알 수 없는 자동 실행 파일 등록 이벤트 로그

4.4.1. evt ID. 4663

4.4.1.1. [시작 프로그램] 추가 감사 정책 설정 방법 순서

4.4.1.1.1. 1. `C:\Users\{사용자명}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` 경로로 이동

4.4.1.1.2. 2. 오른쪽 마우스 클릭 > 속성 > 보안 > 고급 > 감사 > 편집 > 추가 > 권한 있는 계정 등록 > 파일 만들기, 폴더 만들기(체크) > 확인

4.4.1.2. [자동 실행 레지스트리] 감사 정책 설정 방법 순서

4.4.1.2.1. 1. 레지스트리 [자동 실행 폴더 경로]로 진입

4.4.1.2.2. 2. Run, 오른쪽 마우스 클릭 > 사용 권한 > 고급 > 감사 > 추가 > 권한 있는 계정 등록 > 모든 권한 > 확인

4.5. 알 수 없는 프로세스 생성 이벤트 로그

4.5.1. evt ID. 4688

4.6. 알 수 없는 파일이 내부의 다른 서버로 전송 되는 이벤트 로그

4.6.1. evt ID. 5140, 4688

4.7. 외부 서버 접속을 위한 네트워크 구성 변경 이벤트 로그

4.7.1. evt ID. 4688, 4946, 4947

4.8. Incident Response, main event log

4.8.1. Security

4.8.2. System

4.8.3. Application

5. Event Log Classification

5.1. Application log

5.2. Security log

5.3. System log

5.4. etc. log

6. Event Type

6.1. Error

6.2. Warning

6.3. Information

6.4. Success audit

6.5. Fail audit

7. Purpose for Analysis

7.1. Incident response investigation

7.1.1. malware activity

7.1.2. malware inflow vector

7.2. User audit

7.2.1. negative investigation

8. Characteristic

8.1. Binary Loging system

8.2. Not text loging system

8.3. Event ID normalization

9. Event Log File Path

9.1. *.evt (XP or lower)

9.1.1. %SystemRoot%\System32\Config\SysEvent.Evt

9.1.2. %SystemRoot%\System32\Config\AppEvent.Evt

9.1.3. %SystemRoot%\System32\Config\SecEvent.Evt

9.2. *.evtx (Vista or higher)

9.2.1. %SystemRoot%\System32\winevt\Logs\security.evtx

9.2.2. %SystemRoot%\System32\winevt\Logs\system.evtx

9.2.3. %SystemRoot%\System32\winevt\Logs\application.evtx

9.2.4. Task Scheduler Log

9.2.4.1. Microsoft-Windows-TaskScheduler%4Operational.evtx

9.2.5. RDP Connection Log

9.2.5.1. Microsoft-Windows-TerminalServices-RemoteConnection Manager%4Operational.evtx

9.2.6. External-Device Usage

9.2.6.1. Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx

9.2.7. %SystemRoot%\System32\winevt\Logs\*.evtx

10. Storage Type

10.1. Type1 - *.evt

10.1.1. Binary

10.2. Type2 - *.evtx

10.2.1. Binary

10.2.2. XML