Collection of Windows PowerShell Event log commands and Windows Event ID tables.
PowerShell Commands
Get list of available logs (local)
1
Get-EventLog -List
Show log for remote system
1
Show-EventLog -ComputerName <computer-name>
Get events from multiple systems
1
Get-EventLog -LogName System -ComputerName <computer-name0>, <computer-name1>, <computer-name2>
Get all events (local) including keyword in the message
1
Get-EventLog -LogName System -Message *keyword*
Display property values of an event
1
Get-EventLog -LogName System -Newest 1 | Select-Object -Property *
Get recent entires from Application, Security and System event logs
1
2
3
Get-EventLog -Newest 5 -LogName Application | Format-List
Get-EventLog -Newest 5 -LogName Security | Format-List
Get-EventLog -Newest 5 -LogName System | Format-List
Get error event from specific event log
1
Get-EventLog -LogName <event-log> -EntryType Error
Get list of events that occured during a specific date/time range
1
2
3
$Begin = Get-Date -Date '8/17/2019 08:00:00'
$End = Get-Date -Date '8/18/2019 17:00:00'
Get-EventLog -LogName <event-log> -EntryType Error -After $Begin -Before $End
Get list of Security events based on Event ID
1
2
3
4
5
6
7
Get-EventLog Security | ? { $_EventId -eq 4800}
Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4774}
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4624; Data=10} | FL TimeCreated,Message
Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4672} -MaxEvents 1 | Format-List -Property *
Account Management User Events
| Event ID | Name |
|---|---|
| 4720 | A user account was created |
| 4722 | A user account was enabled |
| 4723 | An attempt was made to change an account’s password |
| 4724 | An attempt was made to reset an accounts password |
| 4725 | A user account was disabled |
| 4726 | A user account was deleted |
| 4738 | A user account was changed |
| 4740 | A user account was locked out |
| 4767 | A user account was unlocked |
| 4781 | The name of an account was changed |
Logon Events
| Event ID | Level | Name |
|---|---|---|
| 4624 | Informational | An account was successfully logged on. Logon types: 2. Interactive (keyboard/screen of system 3. Network (shares) 4. Batch (scheduled tasks) 5.Service (service startup) 7. Unlock (pw protected screen saver) 8. NetworkClearText 9. NewCredentials (RunAs) 10. RemoteInteractive (Remote Desktop/Terminal Services/Remote Assitance) 11. CachedInteractive (login with cached domain credentials) |
| 4625 | Informational | An account failed to logon (see table below for failure codes) |
| 4634 | Informational | An account was logged off |
| 4648 | Informational | Logon attempted using explicit credentials |
| 4740 | Informational | A user account was locked out |
Account Logon Failure Codes - Event ID 4625
| Status/Sub Status Code | Name |
|---|---|
| 0xC0000064 | Username does not exist |
| 0xC000006A | User name correct, password wrong |
| 0xC0000234 | User is currently locked out |
| 0xC0000072 | Users account is currently disasbled |
| 0xC000006F | User tried to logon outside time of day restrictions |
| 0xC0000070 | Workstation restriction, or Authentication Policy Silo violation, look for Event ID 4820 on DC |
| 0xC0000193 | Account has expired |
| 0xC0000071 | Account has expired password |
| 0xC0000133 | System clocks between DC and PC too far out of sync |
| 0xC0000224 | User is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xc000015b | User has not been granted the requested logon type on the specific machine |
Account Management Security Group Events
| Local | Global | Universal | |
|---|---|---|---|
| Created | 4731 | 4727 | 4754 |
| Changed | 4735 | 4737 | 4755 |
| Deleted | 4734 | 4730 | 4758 |
| Member Added | 4732 | 4728 | 4756 |
| Member Removed | 4733 | 4729 | 5757 |
Account Management Distribution Group Events
| Local | Global | Universal | |
|---|---|---|---|
| Created | 4744 | 4749 | 4759 |
| Changed | 4745 | 4750 | 4760 |
| Deleted | 4748 | 4753 | 4763 |
| Member Added | 4746 | 4751 | 4761 |
| Member Removed | 4747 | 4752 | 4762 |
Sysmon Events
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
| Event ID | Name |
|---|---|
| 1 | Process creation |
| 2 | A process changed a file creation time |
| 3 | Network connection |
| 4 | Sysmon service state changed |
| 5 | Process termination |
| 6 | Driver loaded |
| 7 | Image loaded |
| 8 | CreateRemoteThread |
| 9 | RawAccessRead |
| 10 | ProcessAccess |
| 11 | FileCreate |
| 12 | RegistryEvent (object create and delete) |
| 13 | RegistryEvent (registry value set) |
| 14 | RegistryEvent (registry object renamed) |
| 15 | FileCreateStreamHash (file steam created) |
| 16 | Sysmon configuration change (cannot be filtered) |
| 17 | PipeEvent (named pipe created) |
| 18 | PipeEvent (named pipe connected) |
| 19 | WmiEvent (WmiEventFilter activity detected) |
| 20 | WmiEvent (WmiEventConsumer activity detected) |
| 21 | WmiEvent (WmiEventConsumerToFilter actively detected) |
| 22 | DNSEvent (DNS query) |
| 255 | error |
Windows Firewall Events
| Event ID | Name |
|---|---|
| 5146 | The Windows Filtering Platform has blocked a packet |
| 5147 | A more restrictive Windows Filtering Platform filter has blocked a packet |
| 5148 | The Windows Filtering Platform has detected a DoS attack and entered defensive mode, packets associated with this attack will be discarded |
| 5149 | The DoS attack has subsided and normal processing is being resumed |
| 5150 | The Windows Filtering Platform has blocked a packet |
| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet |
| 5152 | The Windows Filtering Platform has blocked a packet |
| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet |
| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections |
| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections |
| 5156 | The Windows Filtering Platform has allowed a connection |
| 5157 | The Windows Filtering Platform has blocked a connection |
| 5158 | The Windows Filtering Platform has permitted a bind to a local port |
| 5159 | The Windows Filtering Platform has blocked a bind to a local port |
Applocker Events
AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
| Event ID | Level | Name |
|---|---|---|
| 8000 | Error | Application Identity Policy conversion failed. This condition indicates issues applying policy to the system |
| 8002 | Information | FileName was allowed to run |
| 8003 (Audit only) |
Warning | FileName was allowed to run but would have been prevented if policy enforced. (EXE’s) |
| 8004 | Error | FileName was not allowed to run |
| 8005 | Information | FileName was allowed to run |
| 8006 (Audit only) |
Error | FileName was allowed to run but would have been prevented if policy enforced. (Script/MSI’s) |
| 8007 | Error | FileName was not allowed to run (by policy). |
Windows Defender Antivirus Events
| Event ID | Name |
|---|---|
| 1000 | An antimalware scan started |
| 1001 | An antimalware scan finished |
| 1002 | Scan stopped (canceled) before finished |
| 1005 | Scan terminated due to error |
| 1006 | Detected malware |
| 1007 | Action performed to protect system from malware |
| 1008 | Action on malware failed |
| 1010 | Antimalware could not restore an item from quarantine |
| 1015 | Antimalware platform detected suspicious behaviour |
| 1116 | Platform detected malware or unwanted software |
| 1117 | Malware remediation or action taken |
| 1119 | Remediation error |
| 2001 | Failed to update signatures |
| 2003 | Failed to update engine |
| 2004 | Reverting to last know good signatures |
| 3002 | Real time protection failed |
| 5008 | Antimalware engine encountered error and failed |