Sitemap
All pages on the site.
Home
DFIR blog: Windows Event Log forensics & .evtx parsing
- AppLocker event logs: 8003, 8004 and what ran
- Event ID 4719: audit policy tampering as an early warning
- Active Directory changes: Event ID 5136 and DCSync (4662)
- Event ID 4697: a service was installed (and why it beats 7045)
- File share access: Event IDs 5140 and 5145
- Sysmon Event ID 22: DNS queries, C2 domains and exfiltration
- Sysmon file and registry events: 11, 12–14, 15 and 23/26
- Sysmon Event ID 7: image loads, DLL hijacking and sideloading
- Sysmon Event ID 3: network connections and C2 detection
- Sysmon Event IDs 8 and 10: process injection and LSASS access
- Event ID 4616: system time changes and timestomping
- WDAC and Code Integrity events: 3076 and 3077
- Windows Defender event logs: detections and tampering
- Account lockouts and password resets: 4740, 4724 and 4767
- How BinXML actually works: decoding the EVTX token stream
- Detecting RDP lateral movement in event logs
- Did someone RDP into this host? A step-by-step investigation
- Building an event-log timeline for incident response
- The EVTX file format: a complete byte-level reference
- Tampered event logs and what survives
- Privileged group changes: Event IDs 4732, 4728 and 4756
- Querying EVTX with PowerShell: Get-WinEvent, FilterHashtable and XPath
- RDP forensics: the complete event-log picture
- Scheduled task persistence: Event ID 4698 and the Task Scheduler log
- Running Sigma rules over EVTX with Chainsaw and Hayabusa
- Windows Security Event ID cheat sheet for DFIR
- Reading Windows logons end to end: 4624, 4625, Kerberos and NTLM
- WMI event-subscription persistence in the event logs
- Carving deleted EVTX records and recovering rolled-over logs
- Detecting lateral movement in Security.evtx
- Event log clearing and the gaps that survive
- The EVTX file format, decoded
- EVTX triage: what to read first when you have an hour and a host
- PowerShell logging: what you get with module and script block logging on
- Sysmon configuration that catches real adversaries
- Event ID 4663 explained: file and registry access auditing with SACLs
- Event ID 4672 explained: detecting privileged logons in Windows
- Event ID 4688 explained: Windows process creation auditing for DFIR
- Event ID 4720 explained: detecting rogue account creation in AD
- Event ID 4768 explained: Kerberos TGT requests and AS-REP roasting
- Event ID 4769 explained: Kerberos service tickets and kerberoasting
- Event ID 7036 explained: service state changes for DFIR triage
- How to open an .evtx file (5 methods, no install required)
- What is an .evtx file? Windows Event Log format explained
- How to collect .evtx logs from a live Windows system (4 methods)
- Event ID 4625 explained: detecting brute force, sprays and enumeration
- Event ID 1102 explained: Security audit log cleared (and what survives)
- EVTX file format explained: chunks, templates and BinXML internals
- PowerShell Event ID 4104 explained: scriptblock logging for DFIR
- Event ID 7045 explained: service installation as a persistence signal
- Sysmon Event ID 1 explained: process creation for DFIR triage
- Event ID 4624 explained: Windows successful logon and LogonType reference
- Start here: a DFIR analyst's guide to .evtx