WinEvent.ps1

1. Lock/screensaver
2.  
3. Workstation was locked
4. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4800' }
5. Workstation was unlocked
6. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4801' }
7. Screensaved invoked
8. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4802' }
9. Screensaver dismissed
10. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4803' }
11.  
12.  
13. System ON/OFF
14.  
15. Windows is starting up
16. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4608' }
17. System uptime
18. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='6013' }
19. Windows is shutting down
20. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4609' }
21. System has been shut down
22. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1074' }
23.  
24.  
25. System sleep/awake
26.  
27. System entering sleep mode
28. Get-WinEvent -FilterHashtable @{ LogName='system'; Id=42 }
29. System returning from sleep
30. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='1'; ProviderName = "Microsoft-Windows-Power-Troubleshooter" }
31.  
32.  
33. Logons
34.  
35. Successful logons
36. Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624' }
37. Logons with explicit credentials
38. Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4648' }
39. Account logoffs
40. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4634' }
41.  
42.  
43. Access
44.  
45. Outbound RDP
46. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap
47. Inbound RDP
48. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; id='21' } | select timecreated, message | ft -AutoSize -Wrap
49. Outbound WinRM
50. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=6 }
51.  
52. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=80 }
53. Inbound WinRM
54. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; id=91 }
55.  
56. Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; id=5857 } | ? {$_.message -match 'Win32_WIN32_TERMINALSERVICE_Prov|CIMWin32'}
57.  
58.  
59. Activity
60.  
61. Attempt to install a service
62. Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697' }
63. Scheduled task created
64. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4698' }
65. Scheduled task updated
66. Get-WinEvent -FilterHashtable @{ LogName='security'; Id='4702' }
67. Sysinternals usage?
68. Get-ItemProperty 'HKCU:\SOFTWARE\Sysinternals\*' | select PSChildName, EulaAccepted
69.  
70.  
71. Security
72.  
73. LSASS started as a protected process
74. Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }