# common locations C:\Windows\System32\winevt\Logs\Security.evtx C:\Windows\System32\winevt\Logs\System.evtx C:\Windows\System32\winevt\Logs\Application.evtx C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx # first questions - do I have Security + Sysmon + PowerShell logs? - are they native, exported, or carved? - do timestamps look local or UTC-shifted? - do I want quick grep, CSV timeline, Sigma hunt, or XML parsing?
strings Security.evtx | grep -E "4624|4625|4688|4698|7045|1102" EvtxECmd.exe -f Security.evtx --csv out chainsaw search --input Logs/ --event-id 4624,4625,4688,4698,7045 python3 -m Evtx.Views Security.evtx --include-xml > security.xml # pivot order 4624/4625 → 4648 → 4672 → 4688 → 4698/7045 → PowerShell/Sysmon # build one timeline, not isolated screenshots
| Event ID | Log | Meaning | Useful fields / notes |
|---|---|---|---|
| 1102 | Security | Audit log cleared | Big tampering clue; find SubjectUserSid / SubjectUserName |
| 4624 | Security | Successful logon | LogonType, TargetUserName, IpAddress, WorkstationName, LogonId |
| 4625 | Security | Failed logon | Status/SubStatus, username spray, source IP |
| 4634 | Security | Logoff | Pair with 4624 via LogonId |
| 4648 | Security | Explicit credentials used | runas / alternate creds / lateral movement clue |
| 4672 | Security | Special privileges assigned | Admin / SYSTEM style logons |
| 4688 | Security | Process creation | NewProcessName, CommandLine, ParentProcessName |
| 4697 | Security | Service installed | Sometimes absent; compare with 7045 |
| 4698 | Security | Scheduled task created | Task name, action, author |
| 4702 | Security | Scheduled task updated | Task persistence changes |
| 4719 | Security | Audit policy changed | Coverage reduction / tampering |
| 4720 | Security | User account created | New account creation |
| 4728/4732 | Security | User added to privileged group | Group membership abuse |
| 4738 | Security | User account changed | Password / flags / metadata |
| 4768 | Security | Kerberos TGT requested | AD environments only |
| 4769 | Security | Kerberos service ticket requested | Kerberoasting clues |
| 4771 | Security | Kerberos pre-auth failed | Bad password, spray, clock issues |
| 4776 | Security | NTLM authentication | Credential validation |
| 5140 | Security | Network share accessed | ShareName, SubjectUserName |
| 5145 | Security | Detailed file share access | RelativeTargetName, AccessMask |
| 5156 | Security | WFP allowed connection | Network connection telemetry if enabled |
| 7045 | System | Service installed | ServiceName, ImagePath, start type |
| 6005 | System | Event log service started | System startup marker |
| 6006 | System | Event log service stopped | Shutdown marker |
| 1 | Sysmon | Process created | Parent image, hashes, command line, GUIDs |
| 3 | Sysmon | Network connection | Src/Dst IP + port, process image |
| 7 | Sysmon | Image loaded | DLL hijack / injection clues |
| 8 | Sysmon | CreateRemoteThread | Injection clue |
| 10 | Sysmon | Process access | LSASS access / dump attempts |
| 11 | Sysmon | File created | Dropped payloads |
| 12/13/14 | Sysmon | Registry events | Persistence, tampering |
| 22 | Sysmon | DNS query | Beaconing / staging domains |
# list interesting event ids quickly chainsaw search --input Logs/ --event-id 4624,4625,4688,4698,7045 # free text search in evtx/json chainsaw search --input Logs/ -q "powershell" chainsaw search --input Logs/ -q "EncodedCommand" # sigma hunt with mappings chainsaw hunt Logs/ --rules sigma/rules/ --mapping sigma-event-logs-all.yml --csv out/ # target one log file chainsaw hunt Security.evtx --rules sigma/rules/ --json out/ # same idea but only show matches on screen chainsaw hunt Logs/ --rules sigma/rules/ --mapping sigma-event-logs-all.yml --level medium
# timeline csv from directory hayabusa csv-timeline -d Logs -o timeline.csv # hunt mode using built-in rules hayabusa hunt -d Logs -o hayabusa.csv # html report if available in your build hayabusa html-report -d Logs -o report.html # focused summaries hayabusa logon-summary -d Logs hayabusa eid-metrics -d Logs # noisy CTF sets: timeline first, then grep suspicious process names grep -Ei "powershell|cmd.exe|mshta|rundll32|regsvr32|certutil|bitsadmin" timeline.csv
| Event ID | Log | Use |
|---|---|---|
| 400 | Windows PowerShell | Engine start |
| 403 | Windows PowerShell | Engine stop |
| 4103 | PowerShell Operational | Module logging |
| 4104 | PowerShell Operational | Script block logging (high value) |
| 4105/4106 | PowerShell Operational | Pipeline execution details |
| 106 | TaskScheduler Operational | Task registered |
| 140 | TaskScheduler Operational | Task updated |
| 200/201 | TaskScheduler Operational | Action started / completed |
grep -Ei "powershell|pwsh|encodedcommand|frombase64string|iex|downloadstring|rundll32|regsvr32|mshta|schtasks|sc.exe|cmd.exe /c" *.xml timeline.csv # base64 PowerShell? decode UTF-16LE python3 - <<'PY' import base64 s = "BASE64_HERE" print(base64.b64decode(s).decode("utf-16le","ignore")) PY
zimmermann EvtxECmd.exe -d Logs --csv evtx_csv TimelineExplorer.exe evtx_csv\*.csv python-evtx python3 -m evtx.dump Security.evtx > security.xml python3 -m Evtx.Views Security.evtx --include-xml > security_view.xml jq/csvkit csvcut -c EventId,Provider,TimeCreated,System.Computer timeline.csv jq '.Event.System.EventID' suspicious.json
1. export EVTX to CSV/XML 2. determine timezone / host / log coverage 3. mark startup / shutdown boundaries 4. list 4624/4625 pairs and remote logons 5. extract 4688 or Sysmon 1 command lines 6. check tasks / services / PowerShell / cleared logs 7. run Sigma hunt with Chainsaw or Hayabusa 8. correlate with Prefetch, Amcache, LNK, MFT, PCAP 9. note blind spots before concluding