How to do Windows log analysis

Use a tool like Event Log Explorer (https://eventlogxp.com/)

For each tab, make sure to set the time to UTC, to avoid screwing up the time difference. Always do this. In Event Log Explorer this is under View -> Time Correction -> Display UTC time

Ctrl+L will give you a filter that lets you filter for relevant event IDs or free-text searching. You can even make color-coding templates to make relevant events stand out.

Don’t try to make sense of every event, you’ll fail. Look for targeted specifics.

Notable event IDs to look for:

  • 4776 – Account logon with local authentication
  • 4624 – Account logon with domain authentication
    • Logon Type 10 is RDP
  • 4778 – RDP reconnects
  • 5140 – Shares mounting
  • 7045 – Service installation

Do text-searches for terms like psexec, mimikatz, powershell etc.