DFIR blog: Windows Event Log forensics & .evtx parsing
Short notes on the Windows Event Log binary format, common forensic event IDs, and triage workflows.
Using AppLocker's event logs for DFIR — allowed vs audited vs blocked (8002/8003/8004), the script and MSI channels, and how application-control logs double as an execution record even in audit mode.
Why attackers change the audit policy to go dark, and how Event ID 4719 catches it — reading the subcategory and the success/failure changes, and pairing it with log clearing as an anti-forensics signal.
Detecting AD persistence and credential-replication attacks in the directory-service logs — 5136 object modifications (ACLs, AdminSDHolder, GPO), the 5137/5141 lifecycle, and using 4662 to catch DCSync.
The Security-log record of service installation — how 4697 differs from System 7045, the fields that expose malicious services and PsExec-style lateral movement, and why it's the more reliable of the two.
Tracking network share and file access in the Security log — 5140 (share accessed) vs 5145 (detailed file share), spotting ADMIN$/C$ lateral movement and data staging, and managing 5145's volume.
Using Sysmon's DNS-query event for hunting — process-attributed domain lookups, spotting C2 and DGA domains, DNS tunnelling, and the fields that make it useful.
Tracking dropped files, registry persistence, alternate data streams and self-deletion with Sysmon — FileCreate (11), registry events (12/13/14), FileCreateStreamHash (15) and FileDelete (23/26).
Using Sysmon's image-load event to catch DLL search-order hijacking, sideloading and unsigned modules — the fields, the signature checks that matter, and how to manage its very high volume.
How to use Sysmon's network-connection event for threat hunting — the fields it records, spotting beaconing and LOLBin network activity, and why it's off by default and noisy.