Professional Documents
Culture Documents
###############
# Security Log
###############
# Find Event id
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5038'"
# Eventid 1102
# Eventlog was cleared
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security.evtx' WHERE EventID =
'1102'"
# Eventid 4624
# successful logon
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username,
EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as
LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11,
'|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,
EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID =
4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK
SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
# Find specific IP
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username,
EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as
LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11,
'|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,
EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID =
4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK
SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
# group by users
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL
SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY
CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"
# group by authpackage
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"
# group by LogonType
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"
# Event id 4625
# unsuccessful logon
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username,
EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as
LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings,
13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM
'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS
LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
# Find specific IP
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username,
EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as
LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings,
13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM
'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS
LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND
SourceIP = '10.1.47.151'"
# group by Username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security.evtx'
WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL
SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY
CNT DESC"
# event id 4634
# user logoff
# Event id 4648
# explicit creds was used
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
timegenerated as date, extract_token(strings, 1, '|') as accountname,
extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as
usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings,
8, '|') as targetserver, extract_token(strings, 9, '|') as extradata,
extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as
sourceip from 'Security.evtx' WHERE EventID = 4648"
# Search by accountname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
timegenerated as date, extract_token(strings, 1, '|') as accountname,
extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as
usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings,
8, '|') as targetserver, extract_token(strings, 9, '|') as extradata,
extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as
sourceip from 'Security.evtx' WHERE EventID = 4648 AND accountname =
'Administrator'"
# Search by usedaccount
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
timegenerated as date, extract_token(strings, 1, '|') as accountname,
extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as
usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings,
8, '|') as targetserver, extract_token(strings, 9, '|') as extradata,
extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as
sourceip from 'Security.evtx' WHERE EventID = 4648 AND usedaccount =
'Administrator'"
# group by accountname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security.evtx'
WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"
# event id 4657
# A registry value was modified
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4657'"
# event id 4663
# An attempt was made to access an object
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4663'"
# Event id 4672
# Admin logon
# event id 4688
# new process was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process
FROM 'Security.evtx' WHERE EventID = 4688"
# Search by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process
FROM 'Security.evtx' WHERE EventID = 4688 AND Username = 'Administrator'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security.evtx'
WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC"
# event id 4704
# A user right was assigned
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4704'"
# event id 4705
# A user right was removed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4705'"
# event id 4706
# A new trust was created to a domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4706'"
# event id 4720
# A user account was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser,
extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as
whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security.evtx' WHERE
EventID = '4720'"
# Event id 4722
# user account was enabled
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4722"
# event id 4723
# attempt to change password for the account - user changed his own password
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4723"
# event id 4724
# attempt to reset user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4724"
# event id 4725
# user account was disabled
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4725"
# event id 4726
# A user account was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser,
extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as
whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security.evtx' WHERE
EventID = '4726'"
# event id 4727
# A security-enabled global group was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4727'"
# event id 4728
# A member was added to a security-enabled global group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser,
extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7,
'|') as whodomain FROM 'Security.evtx' WHERE EventID = '4728'"
# event id 4729
# A member was removed from a security-enabled global group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser,
extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings,
7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4729'"
# event id 4730
# A security-enabled global group was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4730'"
# event id 4731
# A security-enabled local group was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup,
extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4731"
# event id 4732
# A member was added to a security-enabled local group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser,
extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7,
'|') as whodomain FROM 'Security.evtx' WHERE EventID = '4732'"
# event id 4733
# A member was removed from a security-enabled local group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser,
extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings,
7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4733'"
# event id 4734
# A security-enabled local group was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup,
EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS
who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security.evtx' WHERE
EventID = 4734"
# event id 4738
# user account was changed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 1, '|') as user,
extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as
whichaccount, extract_token(strings, 6, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4738"
# event id 4740
# A user account was locked out
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as
wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security.evtx' WHERE
EventID = '4740'"
# event id 4742
# computer account was changed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 5, '|') as user,
extract_token(strings, 6, '|') as domain, extract_token(strings, 1, '|') as
whichaccount, extract_token(strings, 2, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4742"
# event id 4754
# A security-enabled universal group was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup,
extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4754"
# event id 4756
# A member was added to a security-enabled universal group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser,
extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7,
'|') as whodomain FROM 'Security.evtx' WHERE EventID = '4756'"
# event id 4757
# A member was removed from a security-enabled universal group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser,
extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings,
7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4757'"
# event id 4758
# A security-enabled universal group was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup,
EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS
who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security.evtx' WHERE
EventID = 4758"
# event id 4767
# A user account was unlocked
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '4767'"
# event id 4768
# Kerberos TGT was requested
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher,
extract_token(strings, 9, '|') as sourceip FROM 'Security.evtx' WHERE EventID =
4768"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security.evtx' WHERE
EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC"
# group by cipher
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC"
# event id 4769
# Kerberos Service ticket was requested
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 1, '|') as domain, extract_token(strings, 2, '|') as
service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|')
as sourceip FROM 'Security.evtx' WHERE EventID = 4769"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security.evtx' WHERE
EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC"
# group by service
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC"
# group by cipher
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC"
# event id 4771
# kerberos pre-atuhentication failed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 0 , '|') as user,
extract_token(strings, 6 , '|') as sourceip FROM 'Security.evtx' WHERE EventID =
4771 AND user NOT LIKE '%$'"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security.evtx'
WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# event id 4776
# domain/computer attemped to validate user credentials
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4776
AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"
# Search by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4776
AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username =
'Administrator'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT
DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC"
# event id 4778
# RDP session reconnected
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username,
EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS
Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security.evtx' WHERE
EventID = 4778"
# event id 4779
# RDP session disconnected
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username,
EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS
Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security.evtx' WHERE
EventID = 4779"
# event id 4781
# User account was renamed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname,
EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS
accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6,
'|') AS Domain FROM 'Security.evtx' WHERE EventID = 4781"
# event id 4825
# RDP Access denied
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS Username,
EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 3, '|') AS
SourceIP FROM 'Security.evtx' WHERE EventID = 4825"
# event id 4946
# new exception was added to firewall
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM
'Security.evtx' WHERE EventID = 4946"
# event id 4948
# rule was deleted from firewall
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM
'Security.evtx' WHERE EventID = 4948"
# event id 5038
# Code integrity determined that the image hash of a file is not valid
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5038'"
# event id 5136
# A directory service object was modified
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username,
extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS
objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings,
11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM
'Security.evtx' WHERE EventID = '5136'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security.evtx'
WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security.evtx'
WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC"
# group by objectdn
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security.evtx'
WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC"
# group by objectclass
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM
'Security.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC"
# group by objectattrib
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM
'Security.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC"
# group by attribvalue
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM
'Security.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC"
# event id 5137
# A directory service object was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5137'"
# event id 5138
# A directory service object was undeleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5138'"
# event id 5139
# A directory service object was moved
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5139'"
# event id 5141
# A directory service object was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5141'"
# event id 5140
# A network share object was accessed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5140'"
# event id 5142
# A network share object was added
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5142'"
# event id 5143
# A network share object was modified
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5143'"
# event id 5144
# A network share object was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5144'"
# event id 5145
# A network share object was checked to see whether client can be granted desired
access
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5145'"
# event id 5154
# The Windows Filtering Platform has permitted an application or service to listen
on a port for incoming connections
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5154'"
# event id 5155
# The Windows Filtering Platform has blocked an application or service from
listening on a port for incoming connections
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5155'"
# event id 5156
# The Windows Filtering Platform has allowed a connection
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5156'"
# event id 5157
# The Windows Filtering Platform has blocked a connection
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5157'"
# event id 5158
# The Windows Filtering Platform has permitted a bind to a local port
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5158'"
# event id 5159
# The Windows Filtering Platform has blocked a bind to a local port
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5159'"
#############
# System Log
#############
# EventID 7045
# New Service was installed in system
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName,
extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS
ServiceUser FROM System.evtx WHERE EventID = 7045"
# EventID 7036
# Service actions
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM
System.evtx WHERE EventID = 7036"
#####################
# Task Scheduler Log
#####################
# EventID 100
# Task was run
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings,0, '|') as taskname,
extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler
%4Operational.evtx' WHERE EventID = 100"
# group by taskname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-
Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname
ORDER BY CNT DESC"
# eventid 200
# action was executed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings,0, '|') as taskname,
extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler
%4Operational.evtx' WHERE EventID = 200"
# group by action
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-
Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction
ORDER BY CNT DESC"
# eventid 140
# user updated a task
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-
TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT
DESC"
# group by taskname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-
Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY taskname
ORDER BY CNT DESC"
# event id 141
# user deleted a task
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated as Date, extract_token(strings, 0, '|') as taskname,
extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler
%4Operational.evtx' WHERE EventID = 141"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-
TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT
DESC"
# group by taskname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-
Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY taskname
ORDER BY CNT DESC"
#######################
# Windows Firewall Log
#######################
# EventID 2004
# New exception rule was added
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename,
extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as
changedapp from 'Microsoft-Windows-Windows Firewall With Advanced Security
%4Firewall.evtx' WHERE EventID = 2004"
# group by apppath
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Microsoft-Windows-
Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2004 GROUP
BY apppath ORDER BY CNT DESC"
# event id 2005
# rule was changed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename,
extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS
servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings,
22, '|') as modifyingapp from 'Microsoft-Windows-Windows Firewall With Advanced
Security%4Firewall.evtx' WHERE EventID = 2005"
# group by apppath
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Microsoft-Windows-
Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005 GROUP
BY apppath ORDER BY CNT DESC"
# group by rulename
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Microsoft-
Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID =
2005 GROUP BY rulename ORDER BY CNT DESC"
# group by servicename
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Microsoft-
Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID =
2005 GROUP BY servicename ORDER BY CNT DESC"
# group by modifyingapp
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Microsoft-
Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID =
2005 GROUP BY modifyingapp ORDER BY CNT DESC"
# event id 2006
# rule was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename,
extract_token(strings, 3, '|') as changedapp from 'Microsoft-Windows-Windows
Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2006"
# group by rulename
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Microsoft-
Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID =
2006 GROUP BY rulename ORDER BY CNT DESC"
# group by changedapp
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Microsoft-
Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID =
2006 GROUP BY changedapp ORDER BY CNT DESC"
# EventID 2011
# Firewall blocked inbound connections to the application, but did not notify the
user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
Timegenerated as date, extract_token(strings, 1, '|') as file,
extract_token(strings, 4, '|') as port from 'Microsoft-Windows-Windows Firewall
With Advanced Security%4Firewall.evtx' WHERE EventID = 2011"
# group by application
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Microsoft-Windows-
Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2011 GROUP
BY file ORDER BY CNT DESC"
######################
# RDP LocalSession Log
# Local logins
######################
# Event id 21
# Successful logon
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
timegenerated as Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-
TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-
TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY
user ORDER BY CNT DESC"
#######################
# RDP RemoteSession Log
#######################
# Event ID 1149
# Successful logon
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
timegenerated as Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-
TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select
extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-
TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149
GROUP BY user ORDER BY CNT DESC"