The main LRUP code lists many event logs that are useful in an incident response scenario. In this section, let's look some additional event logs that are going to be useful to collect.
Firewall related.
The below log shows the firewall rule changes and other actions such as profile changes.
Get-winevent -logname "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | ft -auto -wrap
Network related.
The below log shows the time when a network is changed from a home network to office network.
Get-winevent -logname Microsoft-Windows-BranchCache/Operational | ft -auto -wrap
The below log shows when a network connection was made.
Get-winevent -logname Microsoft-Windows-NetworkProfile/Operational | ft -auto -wrap
Below log should be checked to see the RDP logins. More information on the event IDs is available at this MS link.
Get-winevent -logname Microsoft-Windows-TerminalServices-LocalSessionManager | ft -auto -wrap
Driver related.
Looking at the below log helps identify code integrity issues related to bad drivers or unsigned drivers. More information is available at this MSDN link.
Get-winevent -logname Microsoft-Windows-CodeIntegrity/Operational | ft -auto -wrap
Speaking of drivers, we can use the below command to get a listing of PnP related driver information.
Get-WmiObject -Class Win32_PnPEntity | select Caption,Name,Service
When a device is attached the computer, Windows attempts to detect the device type and install the appropriate driver so that it can communicate and control the device.
Completion of a device driver installation attempt gets recorded as an event ID 20001 message in the 'System' event log. The message provides device identification information and a status code for the device installation process. Devices that install successfully log an Event ID 20001 message with a status code of 0. To see this event, we can use the below one liner.
Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=20001} | select TimeCreated,ID,Message |ft -auto -wrap
When a device is attached the computer, Windows attempts to detect the device type and install the appropriate driver so that it can communicate and control the device.
Completion of a device driver installation attempt gets recorded as an event ID 20001 message in the 'System' event log. The message provides device identification information and a status code for the device installation process. Devices that install successfully log an Event ID 20001 message with a status code of 0. To see this event, we can use the below one liner.
Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=20001} | select TimeCreated,ID,Message |ft -auto -wrap
No comments:
Post a Comment