Search
Search the blog.
Event ID 4663 explained: file & registry access auditing with SACLs
4663 is the per-access object-audit record. Configure SACLs on the right files and keys and you get a per-byte log of who touched what — useful for ransomware, exfil, and credential-store theft.
Event ID 4672 explained: detecting privileged logons in Windows
4672 fires whenever a logon is granted sensitive privileges like SeDebugPrivilege or SeTcbPrivilege. Read it as the 'this logon is admin-equivalent' signal and the rest of your audit policy falls into place.
Event ID 4688 explained: Windows process creation auditing for DFIR
4688 is the base-OS process create record — provided command-line auditing is on. Here's what's in it, how it differs from Sysmon 1, and the triage patterns that earn their keep.
Event ID 4720 explained: detecting rogue account creation in AD
4720 fires every time a user account is created — locally or in AD. Read it with 4722/4724/4732 and you spot persistence and lateral-movement accounts within minutes.
Event ID 4768 explained: Kerberos TGT requests & AS-REP roasting
4768 is the DC's record of every TGT issued. Read it through the result code and pre-auth flag and you spot AS-REP roasting, brute force, and unconstrained-delegation abuse.
Event ID 4769 explained: Kerberos service tickets & kerberoasting
4769 is the DC's record of every service-ticket request. Read it through the encryption type and you spot kerberoasting; read it with 4768 and you spot pass-the-ticket.
Event ID 7036 explained: service state changes for DFIR triage
7036 fires every time a service starts or stops. Paired with 7045 it confirms whether persistence actually ran — and on its own it reveals service abuse, defense evasion, and boot anomalies.
How to open an .evtx file (5 methods, no install required)
Five ways to open a Windows .evtx file — in your browser, in Event Viewer, with wevtutil, with EvtxECmd, or with python-evtx. Pick by host OS and how much friction you can stomach.
What is an .evtx file? Windows Event Log format explained
An .evtx file is a binary Windows Event Log. Where they live, what's inside one, how they differ from .evt, and how to open them — without installing anything.
How to collect .evtx logs from a live Windows system (4 methods)
Four ways to pull .evtx off a live Windows host — wevtutil, FTK Imager, KAPE, raw NTFS — with chain-of-custody trade-offs for each and the commands you'll actually run.
Event ID 4625 explained: detecting brute force, sprays & enumeration
4625 is the failed-logon record. Read it right and you spot password sprays, credential stuffing, and Kerberos abuse before they succeed.
Event ID 1102 explained: Security audit log cleared (and what survives)
1102 is the one event you can't suppress without leaving more evidence. Here's what it tells you and what survives the clear.
EVTX file format explained: chunks, templates & BinXML internals
How a .evtx file is laid out at the byte level — file header, 64 KB chunks, the template table, and the BinXML record stream that references it.
PowerShell Event ID 4104 explained: scriptblock logging for DFIR
Scriptblock logging is Windows' most useful free defensive control. It records the full script body — including obfuscated or in-memory ones — under event 4104.
Event ID 7045 explained: service installation as a persistence signal
Service creation is one of the loudest persistence techniques. Event 7045 captures every install — read these three fields and you'll catch most of it.
Sysmon Event ID 1 explained: process creation for DFIR triage
Sysmon's event 1 is the richest process-creation record Windows can produce. Here's what's in it and how to triage it fast.
Event ID 4624 explained: Windows successful logon & LogonType reference
What a 4624 record actually contains, why the LogonType field matters more than the event itself, and how to read them at scale.
Start here: a DFIR analyst's guide to .evtx
What .evtx is, which channels matter, the Event IDs to know, and where to find each one on disk — a navigational starting point for everything else on this blog.