opexxx

WinEvent.ps1

Jul 7th, 2020
212
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Lock/screensaver
  2.  
  3. Workstation was locked
  4. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }
  5. Workstation was unlocked
  6. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }
  7. Screensaved invoked
  8. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }
  9. Screensaver dismissed
  10. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }
  11.  
  12.  
  13. System ON/OFF
  14.  
  15. Windows is starting up
  16. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }
  17. System uptime
  18. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }
  19. Windows is shutting down
  20. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }
  21. System has been shut down
  22. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }
  23.  
  24.  
  25. System sleep/awake
  26.  
  27. System entering sleep mode
  28. Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }
  29. System returning from sleep
  30. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }
  31.  
  32.  
  33. Logons
  34.  
  35. Successful logons
  36. Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }
  37. Logons with explicit credentials
  38. Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }
  39. Account logoffs
  40. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }
  41.  
  42.  
  43. Access
  44.  
  45. Outbound RDP
  46. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap
  47. Inbound RDP
  48. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap
  49. Outbound WinRM
  50. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }
  51.  
  52. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }
  53. Inbound WinRM
  54. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }
  55.  
  56. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}
  57.  
  58.  
  59. Activity
  60.  
  61. Attempt to install a service
  62. Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }
  63. Scheduled task created
  64. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }
  65. Scheduled task updated
  66. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }
  67. Sysinternals usage?
  68. Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted
  69.  
  70.  
  71. Security
  72.  
  73. LSASS started as a protected process
  74. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }
Add Comment
Please, Sign In to add comment