Search
Search the blog.
AppLocker event logs: 8003, 8004 and what ran
Using AppLocker's event logs for DFIR — allowed vs audited vs blocked (8002/8003/8004), the script and MSI channels, and how application-control logs double as an execution record even in audit mode.
Event ID 4719: audit policy tampering as an early warning
Why attackers change the audit policy to go dark, and how Event ID 4719 catches it — reading the subcategory and the success/failure changes, and pairing it with log clearing as an anti-forensics signal.
Active Directory changes: Event ID 5136 and DCSync (4662)
Detecting AD persistence and credential-replication attacks in the directory-service logs — 5136 object modifications (ACLs, AdminSDHolder, GPO), the 5137/5141 lifecycle, and using 4662 to catch DCSync.
Event ID 4697: a service was installed (and why it beats 7045)
The Security-log record of service installation — how 4697 differs from System 7045, the fields that expose malicious services and PsExec-style lateral movement, and why it's the more reliable of the two.
File share access: Event IDs 5140 and 5145
Tracking network share and file access in the Security log — 5140 (share accessed) vs 5145 (detailed file share), spotting ADMIN$/C$ lateral movement and data staging, and managing 5145's volume.
Sysmon Event ID 22: DNS queries, C2 domains and exfiltration
Using Sysmon's DNS-query event for hunting — process-attributed domain lookups, spotting C2 and DGA domains, DNS tunnelling, and the fields that make it useful.
Sysmon file and registry events: 11, 12–14, 15 and 23/26
Tracking dropped files, registry persistence, alternate data streams and self-deletion with Sysmon — FileCreate (11), registry events (12/13/14), FileCreateStreamHash (15) and FileDelete (23/26).
Sysmon Event ID 7: image loads, DLL hijacking and sideloading
Using Sysmon's image-load event to catch DLL search-order hijacking, sideloading and unsigned modules — the fields, the signature checks that matter, and how to manage its very high volume.
Sysmon Event ID 3: network connections and C2 detection
How to use Sysmon's network-connection event for threat hunting — the fields it records, spotting beaconing and LOLBin network activity, and why it's off by default and noisy.
Sysmon Event IDs 8 and 10: process injection and LSASS access
Detecting code injection and credential theft with Sysmon — CreateRemoteThread (8) and ProcessAccess (10), reading GrantedAccess masks against lsass.exe, and using the call trace to find unsigned modules.
Event ID 4616: system time changes and timestomping
How a changed system clock undermines a timeline, and how Event ID 4616 exposes it — reading PreviousTime vs NewTime, separating benign NTP sync from anti-forensic manipulation, and the process that made the change.
WDAC and Code Integrity events: 3076 and 3077
Reading the CodeIntegrity Operational log for application-control and driver-blocking evidence — audit blocks (3076) vs enforced blocks (3077), what they reveal about unsigned and untrusted code, and how they fit alongside AppLocker.
Windows Defender event logs: detections and tampering
Reading Microsoft Defender's Operational log in DFIR — malware detections (1116/1117), real-time protection disabled (5001), and the settings changes (5007) attackers use to add exclusions and go quiet.
Account lockouts and password resets: 4740, 4724 and 4767
Reading account-lockout and password-change events in the Security log — 4740 (locked out) and its caller computer, 4767 (unlocked), 4723/4724 (password change vs admin reset), and what each pattern means for an investigation.
How BinXML actually works: decoding the EVTX token stream
A token-by-token walkthrough of BinXML — the binary XML encoding inside .evtx records. Names, hashes, templates, the substitution array, nested fragments, and the edge cases that break parsers.
Detecting RDP lateral movement in event logs
How attackers move host-to-host over RDP and the event-log trail it leaves — chaining RDPClient 1024 to RemoteConnectionManager 1149, spotting jump-host fan-out, restricted-admin and tunnelled RDP, and the gaps to watch for.
Did someone RDP into this host? A step-by-step investigation
A practical workflow for answering 'was there a remote desktop session' from EVTX alone — which logs to pull, which event IDs to filter, how to confirm a real interactive session, and how to read the source and timing.
Building an event-log timeline for incident response
How to turn scattered .evtx files into one defensible timeline — which events to anchor on, normalising to UTC, correlating across hosts and logs, joining sessions by LogonId, and avoiding the common timelining mistakes.
The EVTX file format: a complete byte-level reference
A field-by-field reference for the Windows .evtx format — file header, ELFCHNK chunk header, event record, the full BinXML token and value-type tables, and a worked decode from raw bytes to rendered XML.
Tampered event logs and what survives
How attackers clear, truncate and timestomp Windows event logs — and the byte-level tells that survive: 1102/104 clearing events, record-ID gaps, chunk CRC mismatches, dirty chunks, and records carvable from slack and unallocated space.
Privileged group changes: Event IDs 4732, 4728 and 4756
Detecting privilege escalation and persistence through group membership changes in the Security log — local (4732), global (4728) and universal (4756) group additions, what the fields mean, and the create-then-add pattern.
Querying EVTX with PowerShell: Get-WinEvent, FilterHashtable and XPath
A practical guide to reading .evtx files with PowerShell — Get-WinEvent vs Get-EventLog, the fast FilterHashtable path, XPath filters for EventData fields, FilterXml, and the limitations that trip people up.
RDP forensics: the complete event-log picture
Every Windows event a Remote Desktop session leaves behind, across four logs — 1149, LocalSessionManager 21/22/24/25, Security 4624 type 10 and 4778/4779 — and how they fit together into one timeline.
Scheduled task persistence: Event ID 4698 and the Task Scheduler log
How attackers use scheduled tasks for persistence and what it leaves in the event logs — Security 4698/4699/4700/4701/4702 with the full task XML, and the Task Scheduler Operational log 106/140/141/200.
Running Sigma rules over EVTX with Chainsaw and Hayabusa
How to scan .evtx files with detection rules at scale — what Sigma is, how Chainsaw and Hayabusa apply it to event logs, when to use each, and how to fit rule-based triage into an investigation.
Windows Security Event ID cheat sheet for DFIR
The Windows event IDs that matter in an investigation, grouped by attack phase — with the log they live in, a one-line meaning, and a link to the deep-dive for each. A reference for incident response and threat hunting.
Reading Windows logons end to end: 4624, 4625, Kerberos and NTLM
How Windows logon auditing actually fits together — logon types, 4624/4625 fields and failure codes, the Kerberos 4768/4769/4771 chain, NTLM 4776, and how the events correlate across the domain controller and the target host.
WMI event-subscription persistence in the event logs
How attackers persist with permanent WMI event subscriptions (__EventFilter + __EventConsumer + __FilterToConsumerBinding) and what the WMI-Activity Operational log records — Event ID 5861 and friends.
Carving deleted EVTX records and recovering rolled-over logs
Signature carving EVTX records from unallocated space, pagefile, and memory — and the tools that handle malformed chunks gracefully when the live log is missing what you need.
Detecting lateral movement in Security.evtx
How real adversary tools move host-to-host in Windows estates, and the precise event ID combinations in Security.evtx that catch PsExec, Impacket, and WMIExec.
Event log clearing and the gaps that survive
How attackers clear Windows event logs, what evidence remains on disk and in forwarded channels, and the difference between wevtutil cl and thread-suspension tools like Invoke-Phant0m.
The EVTX file format, decoded
A working tour of the EVTX binary format: file header, ELFCHNK chunks, BinXML templates, substitution arrays, and why parsing this thing is harder than it looks.
EVTX triage: what to read first when you have an hour and a host
A practitioner's order of operations for triaging Windows Event Logs during incident response — which channels matter, which event IDs lie to you, and where Sysmon does the heavy lifting.
PowerShell logging: what you get with module and script block logging on
The practical difference between PowerShell module logging, script block logging, transcripts, and AMSI buffers — and the GPO settings that actually turn the useful ones on.
Sysmon configuration that catches real adversaries
An opinionated take on Sysmon: which event IDs actually matter in IR, why olafhartong/sysmon-modular is the right baseline, and the configuration mistakes that blind you to real attacks.
Event ID 4663 explained: file and registry access auditing with SACLs
4663 is the per-access object-audit record. Configure SACLs on the right files and keys and you get a per-byte log of who touched what. Useful for ransomware, exfil, and credential-store theft.
Event ID 4672 explained: detecting privileged logons in Windows
4672 fires whenever a logon is granted sensitive privileges like SeDebugPrivilege or SeTcbPrivilege. Read it as the 'this logon is admin-equivalent' signal and the rest of audit policy falls into place.
Event ID 4688 explained: Windows process creation auditing for DFIR
4688 is the base-OS process create record, provided command-line auditing is on. Here is what is in it, how it differs from Sysmon 1, and the triage patterns that earn their keep.
Event ID 4720 explained: detecting rogue account creation in AD
4720 fires every time a user account is created, local or domain. Read it with 4722, 4724, and 4732 and you catch persistence and lateral-movement accounts within minutes.
Event ID 4768 explained: Kerberos TGT requests and AS-REP roasting
4768 is the DC's record of every TGT issued. Read it through the result code and pre-auth flag and you spot AS-REP roasting, brute force, and unconstrained-delegation abuse.
Event ID 4769 explained: Kerberos service tickets and kerberoasting
4769 is the DC's record of every service-ticket request. Read it through the encryption type and you spot kerberoasting. Read it with 4768 and you spot pass-the-ticket.
Event ID 7036 explained: service state changes for DFIR triage
7036 fires every time a service starts or stops. Paired with 7045 it confirms whether persistence actually ran. On its own it reveals service abuse, defense evasion, and boot anomalies.
How to open an .evtx file (5 methods, no install required)
Five ways to open a Windows .evtx file: in your browser, in Event Viewer, with wevtutil, with EvtxECmd, or with python-evtx. Pick by host OS and how much friction you can stomach.
What is an .evtx file? Windows Event Log format explained
An .evtx file is a binary Windows Event Log. Where they live, what is inside one, how they differ from .evt, and how to open them. No install required.
How to collect .evtx logs from a live Windows system (4 methods)
Four ways to pull .evtx off a live Windows host: wevtutil, FTK Imager, KAPE, raw NTFS. With the chain-of-custody trade-offs for each and the commands you'll actually run.
Event ID 4625 explained: detecting brute force, sprays and enumeration
4625 is the failed-logon record. Read it right and you spot password sprays, credential stuffing, and Kerberos abuse before they turn into a success.
Event ID 1102 explained: Security audit log cleared (and what survives)
1102 is the one event you cannot suppress without leaving more evidence behind. Here is what it tells you, what survives the clear, and where to look once you see it.
EVTX file format explained: chunks, templates and BinXML internals
How a .evtx file is laid out at the byte level: file header, 64 KB chunks, the template table, and the BinXML record stream that references it.
PowerShell Event ID 4104 explained: scriptblock logging for DFIR
Scriptblock logging is Windows' most useful free defensive control. It records the full script body, including obfuscated or in-memory ones, under event 4104.
Event ID 7045 explained: service installation as a persistence signal
Service creation is one of the loudest persistence techniques. Event 7045 captures every install. Read these three fields and you catch most of it.
Sysmon Event ID 1 explained: process creation for DFIR triage
Sysmon's event 1 is the richest process-creation record Windows can produce. Here is what is in it and how to triage it fast.
Event ID 4624 explained: Windows successful logon and LogonType reference
What a 4624 record actually contains, why the LogonType field matters more than the event itself, and how to read them at scale.
Start here: a DFIR analyst's guide to .evtx
What .evtx is, which channels matter, the Event IDs to know, and where to find each one on disk. A navigational starting point for everything else on this blog.