meta data for this page
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| soc:forensics:windows:start [2026/06/09 17:03] – titannet | soc:forensics:windows:start [2026/06/09 17:17] (current) – titannet | ||
|---|---|---|---|
| Line 33: | Line 33: | ||
| * Defined change rules (see below) | * Defined change rules (see below) | ||
| + | |||
| + | === Volume Shadow Copy === | ||
| + | |||
| + | * Block/ | ||
| + | * Snapshots created approximately weekly (schedules, software install/ | ||
| + | * Default 3-5% of disk space | ||
| + | * (Recovery and Windows Restore are separate mechanisms) | ||
| + | |||
| + | * VSC Tools: | ||
| + | * | ||
| + | |||
| Line 75: | Line 86: | ||
| | 4624 || Succesful Logon | | | 4624 || Succesful Logon | | ||
| - | || 0 | System Used only by the System account, for example at system startup. | + | | | 0 | System Used only by the System account, for example at system startup.| |
| - | || 2 | Interactive A user logged on to this computer. | + | | | 2 | Interactive A user logged on to this computer.| |
| - | || 3 | Network A user or computer logged on to this computer from the network. | + | | | 3 | Network A user or computer logged on to this computer from the network.| |
| - | || 4 | Batch Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention. | + | | | 4 | Batch Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention.| |
| - | || 5 | Service The Service Control Manager started a service. | + | | | 5 | Service The Service Control Manager started a service.| |
| - | || 7 | Unlock This workstation was unlocked. | + | | | 7 | Unlock This workstation was unlocked.| |
| - | || 8 | NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext). | + | | | 8 | NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext).| |
| - | || 9 | NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | + | | | 9 | NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.| |
| - | || 10 | RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop. | + | | | 10 | RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.| |
| - | || 11 | CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials. | + | | | 11 | CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. |
| - | || 12 | CachedRemoteInteractive Same as RemoteInteractive. This type is used for internal auditing. | + | | | 12 | CachedRemoteInteractive Same as RemoteInteractive. This type is used for internal auditing. |
| - | || 13 | CachedUnlock Workstation logon. | + | | | 13 | CachedUnlock Workstation logon. |
| | 4625 || Failed Logon | | | 4625 || Failed Logon | | ||
| + | | | 2 | Interactive A user logged on to this computer. | | ||
| + | | | 3 | Network A user or computer logged on to this computer from the network. | | ||
| + | | | 4 | Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.| | ||
| + | | | 5 | Service A service was started by the Service Control Manager.| | ||
| + | | | 7 | Unlock This workstation was unlocked.| | ||
| + | | | 8 | NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).| | ||
| + | | | 9 | NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.| | ||
| + | | | 10 | RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.| | ||
| + | | | 11 | CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.| | ||
| | 4634 || | | | 4634 || | | ||
| | 4672 || Special Privileges Assigned | | | 4672 || Special Privileges Assigned | | ||
| | 4720/4726 || User account creation/ | | 4720/4726 || User account creation/ | ||
| - | | 4648 Logon with explicit credentials | | + | | 4648 || Logon with explicit credentials, connected to other events via Account Name, Account Domain, Logon GUID | |
| + | |||
| + | ==== Service? ==== | ||
| + | | || | | ||
| + | | || | | ||
| + | | || | | ||
| 6005 / 6006 — Event Log Service Started/ | 6005 / 6006 — Event Log Service Started/ | ||