Skip to content

DFIR blog: Windows Event Log forensics & .evtx parsing

4672 fires whenever a logon is granted sensitive privileges like SeDebugPrivilege or SeTcbPrivilege. Read it as the 'this logon is admin-equivalent' signal and the rest of audit policy falls into place.
4688 is the base-OS process create record, provided command-line auditing is on. Here is what is in it, how it differs from Sysmon 1, and the triage patterns that earn their keep.
4720 fires every time a user account is created, local or domain. Read it with 4722, 4724, and 4732 and you catch persistence and lateral-movement accounts within minutes.
4768 is the DC's record of every TGT issued. Read it through the result code and pre-auth flag and you spot AS-REP roasting, brute force, and unconstrained-delegation abuse.
4769 is the DC's record of every service-ticket request. Read it through the encryption type and you spot kerberoasting. Read it with 4768 and you spot pass-the-ticket.
7036 fires every time a service starts or stops. Paired with 7045 it confirms whether persistence actually ran. On its own it reveals service abuse, defense evasion, and boot anomalies.
Five ways to open a Windows .evtx file: in your browser, in Event Viewer, with wevtutil, with EvtxECmd, or with python-evtx. Pick by host OS and how much friction you can stomach.
An .evtx file is a binary Windows Event Log. Where they live, what is inside one, how they differ from .evt, and how to open them. No install required.
Four ways to pull .evtx off a live Windows host: wevtutil, FTK Imager, KAPE, raw NTFS. With the chain-of-custody trade-offs for each and the commands you'll actually run.