WINDOWS | Notion

Increase Log size to support increased auditing:

C:\\> reg add
HKLM\\Software\\Policies\\Microsoft\\Windows\\Eventlog\\Ap
plication /v MaxSize /t REG_DWORD /d 0x19000
C:\\> reg add
HKLM\\Software\\Policies\\Microsoft\\Windows\\Eventlog\\Se
curity /v MaxSize /t REG_DWORD /d 0x64000
C:\\> reg add
HKLM\\Software\\Policies\\Microsoft\\Windows\\EventLog\\Sy
stem /v MaxSize /t REG_DWORD /d 0x19000

Check settings of Security log:

C:\\> wevtutil gl Security

Check settings of audit policies:

C:\\> auditpol /get /category:*

Set Log Auditing on for Success and/or Failure on All Categories:

C:\\> auditpol /set /category:* /success:enable
/failure:enable

Set Log Auditing on for Success and/or Failure on Subcategories:

C:\\> auditpol /set /subcategory:"Detailed File
Share" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"File System"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Security System
Extension" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"System Integrity"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Security State
Change" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other System
Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"System Integrity"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Logon"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Logoff"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Account Lockout"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other Logon/Logoff
Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Network Policy
Server" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Registry"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"SAM"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Certification
Services" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Application
Generated" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Handle
Manipulation" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"file Share"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"filtering Platform
Packet Drop" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Filtering Platform
Connection" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other Object Access
Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Detailed File
Share" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Sensitive Privilege
Use" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Non Sensitive
Privilege Use" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other Privilege Use
Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Process
Termination" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"DPAPI Activity"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"RPC Events"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Process Creation"
/success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Audit Policy
Change" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Authentication
Policy Change" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Authorization
Policy Change" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"MPSSVC Rule-Level
Policy Change" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Filtering Platform
Policy Change" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other Policy Change
Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"User Account
Management" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Computer Account
Management" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Security Group
Management" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Distribution Group
Management" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Application Group
Management" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other Account
Management Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Directory Service
Changes" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Directory Service
Replication" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Detailed Directory
Service Replication" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Directory Service
Access" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Kerberos Service
Ticket Operations" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Other Account Logan
Events" /success:enable /failure:enable
C:\\> auditpol /set /subcategory:"Kerberos
Authentication Service" /success:enable
/failure:enable
C:\\> auditpol /set /subcategory:"Credential
Validation" /success:enable /failure:enable

Check for list of available logs, size, retention limit:

PS C:\\> Get-Eventlog -list

Partial list of Key Security Log Auditing events to monitor:

PS C:\\> Get-Eventlog -newest 5 -logname application | Format-List

Show log from remote system:

PS C:\\> Show-Eventlog -computername <SERVER NAME>

Get a specific list of events based on Event ID:

PS C:\\> Get-Eventlog Security I ? { $_.Eventid -eq 4800}
PS C:\\> Get-WinEvent -FilterHashtable
@{LogName="Security"; ID=4774}

Account Logon - Audit Credential Validation Last 14 Days:

PS C:\\> Get-Eventlog Security
4768,4771,4772,4769,4770,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633 -after ((get-date).addDays(14))