Accounts Enabled

This query will return results on all accounts enabled for a given time range. It is using EventCodes for windows 2008 and newer operating systems:

Continue Reading →

Windows Time Change

This query will list all users who initiated a time change. System accounts change time automatically, as such I’ve ignored system accounts from the query output. Windows 2008 and newer:

Windows 2003 and before:

Continue Reading →

Time between rights granted and rights revoked

This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs. Regex is used here, and is part of the query. Windows 2008 and newer:

Windows 2003 and before:

Continue Reading →

Console Lock Duration

The following code works only in windows 2008 and newer operating systems:

Continue Reading →

User Logon / Session Duration

The following query will return the duration of user logon time between initial logon and logoff events. I have a duration filter set to greater than 5 seconds to weed out any scripts that may quickly log on and log off (change this as needed to fit your environment). Windows 2008 and newer:

Windows […]

Continue Reading →

Security Access granted to an Account

Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this:

The query for a system running Server 2003 or older looks like this:

Continue Reading →

System Security Access Removed from Account

The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer:

Windows Server 2003 and older:

Continue Reading →

Gauge of Windows Failed Logons

Gauge of Windows Failed Logons. Adjust the gauge to meet your environments needs.

Continue Reading →

Gauge of Windows Successful Logons

Gauge of Windows Successful Logons. Adjust the gauge to meet your needs.

Continue Reading →

Search Common EventCodes (EventID’s) for Suspicious Behavior

This query searches many common EventCodes (EventID’s) within a Windows environment for suspicious behavior. The query can take some time to run due to it’s length. Excellent for high-level security insight.

Continue Reading →

Logon Types within a Windows Environment (with logon count)

This query will identify logon types within a windows environment and list the number of logons associated with each type.

Continue Reading →