# Finding Forensic Goodness In Obscure Windows Event Logs **[nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3](https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3)** Nasreddine Bencherchali February 20, 2021 [Nasreddine Bencherchali](https://nasbench.medium.com/?source=post_page-----60e978ea45a3--------------------------------) Feb 20, 2021 5 min read Event Viewer If you’ve been doing some digital forensics or threat hunting for some time. You’ll know that one of the key sources of information are the Windows event logs. Most of the talks around the windows event logs only mention the “main” sources of logs such as “System” or “Application”, even though windows provide many sources. ----- To get the full logging experience one need to enable additional logging from the or even installs something like but what to do in the case where one cannot install or enable the aforementioned logs? Or let’s say you’re performing an investigation and the machine has only default logging enabled ? Does the windows event log contains other useful information other than the one provided by the main sources (Application, System and Security) ? Today we’ll take a look at some of those event logs and see if there is anything interesting. ## Microsoft-Windows-Shell-Core/Operational Detects the start of the execution of a process from both the “Software\Microsoft\Windows\CurrentVersion\Run” and “Software\Microsoft\Windows\CurrentVersion\RunOnce” registry keys with the full command line. Detects when the aforementioned process finishes execution with the corresponding PID (Useful when the process is still running on the system). Triggered when a shortcut is added to the “App Resolver Cache”. Indicates when an application is installed. Both EID 9707 and 9708 can be used to search for any malware using the “Run” and “RunOnce” key as persistence mechanisms. ## Microsoft-Windows-WinINet-Config/ProxyConfigChanged ----- Indicates change in the proxy configuration. For example if i change my proxy configuration from the “Internet Option” menu. The event will get generated. ## Microsoft-Windows-VHDMP-Operational Triggers when you mount a VHD (Virtual Hard Disk). Triggers when you unmount a VHD (Virtual Hard Disk). Contains information about the type, path, handle count of the mounted device. ## OAlerts (Office Alerts) Triggers when a prompt is shown inside an office application. For example when the prompt to save the office (excel, word…etc) document is shown an event is generated. Contains information about the name of the files (In the case of saving a file), the office version, the office application that triggered the alert (Word, PowerPoint, Excel…etc). This event can be used to determine if a suspicious for example file has been opened or altered in some way by a user. ## Microsoft-Windows-WLAN-AutoConfig/Operational Triggers when a successful connection to a wireless network occurs. Triggers when we’re successfully disconnected from a wireless network. ----- ## Microsoft-Windows-Winlogon/Operational Triggers when a user logon to a machine. You can check for the “” subscriber notification in EID 811 to indicates that a user logged on via RDP. Note that as far as i can tell the “SessionEnv” subscriber is also logged when a user logon to a machine for the first time (I.E doesn’t have a session). To distinguish between the two (RDP or Local) look for the EID 1/2 shortly after the “SessionEnv” subscriber to indicate a local logon and if not present that means its an RDP logon. In my test lab this event is triggered only when a user log in to a computer on which he doesn’t have a session (I.E session disconnected/ doesn’t exist). EID 2 can be used to determine how many times a user typed an incorrect password. For example, if a user provided a wrong password and EID 2 will be generated with the “Result Code : 1326”. Which indicates an incorrect password. ----- If the password is correct, then the “Result Code : 0” is generated. ## Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Trigger when “A rule has been to the Windows Defender Firewall exception list. Triggers when “A rule has been in the Windows Defender Firewall exception list.” Triggers when “A rule has been in the Windows Defender Firewall exception list.” Contains information about : The “Rule Name” that’s been altered. The “Modifying Application” that initiated the change. The “Action” and “Direction” The “User”. …Etc. ## Microsoft-Windows-UniversalTelemetryClient/Operational ----- Indicates whether the computer has Internet or Not. You can use the difference between two events to determine why a process didn’t run (Maybe it needed internet) or answer the question did the malware send information to the C2 since the start of the infection for example. ## Microsoft-Windows-Security-Mitigations/KernelMode Another event log worth looking is the “Microsoft-Windows-Security-Mitigations/*”. This event log contains log about the “Exploit Protection” feature. A complete list of the EID’s available can be found below. ## Apply mitigations to help prevent attacks through vulnerabilities - Windows security ### Important The improved Microsoft 365 security center is now available in public preview. This new experience brings… docs.microsoft.com ## Conclusion We’ve taken a look at a couple of event logs that can be very useful during an investigation or a threat hunt. If you have other suggestions of events that should be added or noticed an [error of some kind drop me a DM on twitter @nas_bench](https://twitter.com/nas_bench) Happy Hunting. -----