Skip to content

Florian Amette

DFIR practitioner writing on Windows Event Log forensics. Alias: F4K.

Using AppLocker's event logs for DFIR — allowed vs audited vs blocked (8002/8003/8004), the script and MSI channels, and how application-control logs double as an execution record even in audit mode.
Why attackers change the audit policy to go dark, and how Event ID 4719 catches it — reading the subcategory and the success/failure changes, and pairing it with log clearing as an anti-forensics signal.
Detecting AD persistence and credential-replication attacks in the directory-service logs — 5136 object modifications (ACLs, AdminSDHolder, GPO), the 5137/5141 lifecycle, and using 4662 to catch DCSync.
The Security-log record of service installation — how 4697 differs from System 7045, the fields that expose malicious services and PsExec-style lateral movement, and why it's the more reliable of the two.
Tracking network share and file access in the Security log — 5140 (share accessed) vs 5145 (detailed file share), spotting ADMIN$/C$ lateral movement and data staging, and managing 5145's volume.
Using Sysmon's DNS-query event for hunting — process-attributed domain lookups, spotting C2 and DGA domains, DNS tunnelling, and the fields that make it useful.
Tracking dropped files, registry persistence, alternate data streams and self-deletion with Sysmon — FileCreate (11), registry events (12/13/14), FileCreateStreamHash (15) and FileDelete (23/26).
Using Sysmon's image-load event to catch DLL search-order hijacking, sideloading and unsigned modules — the fields, the signature checks that matter, and how to manage its very high volume.
How to use Sysmon's network-connection event for threat hunting — the fields it records, spotting beaconing and LOLBin network activity, and why it's off by default and noisy.
Detecting code injection and credential theft with Sysmon — CreateRemoteThread (8) and ProcessAccess (10), reading GrantedAccess masks against lsass.exe, and using the call trace to find unsigned modules.
How a changed system clock undermines a timeline, and how Event ID 4616 exposes it — reading PreviousTime vs NewTime, separating benign NTP sync from anti-forensic manipulation, and the process that made the change.
Reading the CodeIntegrity Operational log for application-control and driver-blocking evidence — audit blocks (3076) vs enforced blocks (3077), what they reveal about unsigned and untrusted code, and how they fit alongside AppLocker.
Reading Microsoft Defender's Operational log in DFIR — malware detections (1116/1117), real-time protection disabled (5001), and the settings changes (5007) attackers use to add exclusions and go quiet.
Reading account-lockout and password-change events in the Security log — 4740 (locked out) and its caller computer, 4767 (unlocked), 4723/4724 (password change vs admin reset), and what each pattern means for an investigation.
A token-by-token walkthrough of BinXML — the binary XML encoding inside .evtx records. Names, hashes, templates, the substitution array, nested fragments, and the edge cases that break parsers.
How attackers move host-to-host over RDP and the event-log trail it leaves — chaining RDPClient 1024 to RemoteConnectionManager 1149, spotting jump-host fan-out, restricted-admin and tunnelled RDP, and the gaps to watch for.
A practical workflow for answering 'was there a remote desktop session' from EVTX alone — which logs to pull, which event IDs to filter, how to confirm a real interactive session, and how to read the source and timing.
How to turn scattered .evtx files into one defensible timeline — which events to anchor on, normalising to UTC, correlating across hosts and logs, joining sessions by LogonId, and avoiding the common timelining mistakes.
A field-by-field reference for the Windows .evtx format — file header, ELFCHNK chunk header, event record, the full BinXML token and value-type tables, and a worked decode from raw bytes to rendered XML.
How attackers clear, truncate and timestomp Windows event logs — and the byte-level tells that survive: 1102/104 clearing events, record-ID gaps, chunk CRC mismatches, dirty chunks, and records carvable from slack and unallocated space.
Detecting privilege escalation and persistence through group membership changes in the Security log — local (4732), global (4728) and universal (4756) group additions, what the fields mean, and the create-then-add pattern.
A practical guide to reading .evtx files with PowerShell — Get-WinEvent vs Get-EventLog, the fast FilterHashtable path, XPath filters for EventData fields, FilterXml, and the limitations that trip people up.
Every Windows event a Remote Desktop session leaves behind, across four logs — 1149, LocalSessionManager 21/22/24/25, Security 4624 type 10 and 4778/4779 — and how they fit together into one timeline.
How attackers use scheduled tasks for persistence and what it leaves in the event logs — Security 4698/4699/4700/4701/4702 with the full task XML, and the Task Scheduler Operational log 106/140/141/200.
How to scan .evtx files with detection rules at scale — what Sigma is, how Chainsaw and Hayabusa apply it to event logs, when to use each, and how to fit rule-based triage into an investigation.
The Windows event IDs that matter in an investigation, grouped by attack phase — with the log they live in, a one-line meaning, and a link to the deep-dive for each. A reference for incident response and threat hunting.
How Windows logon auditing actually fits together — logon types, 4624/4625 fields and failure codes, the Kerberos 4768/4769/4771 chain, NTLM 4776, and how the events correlate across the domain controller and the target host.
How attackers persist with permanent WMI event subscriptions (__EventFilter + __EventConsumer + __FilterToConsumerBinding) and what the WMI-Activity Operational log records — Event ID 5861 and friends.
Signature carving EVTX records from unallocated space, pagefile, and memory — and the tools that handle malformed chunks gracefully when the live log is missing what you need.
How real adversary tools move host-to-host in Windows estates, and the precise event ID combinations in Security.evtx that catch PsExec, Impacket, and WMIExec.
How attackers clear Windows event logs, what evidence remains on disk and in forwarded channels, and the difference between wevtutil cl and thread-suspension tools like Invoke-Phant0m.
A working tour of the EVTX binary format: file header, ELFCHNK chunks, BinXML templates, substitution arrays, and why parsing this thing is harder than it looks.
A practitioner's order of operations for triaging Windows Event Logs during incident response — which channels matter, which event IDs lie to you, and where Sysmon does the heavy lifting.
The practical difference between PowerShell module logging, script block logging, transcripts, and AMSI buffers — and the GPO settings that actually turn the useful ones on.
An opinionated take on Sysmon: which event IDs actually matter in IR, why olafhartong/sysmon-modular is the right baseline, and the configuration mistakes that blind you to real attacks.