Hunting in Windows Logs (EVTX)

Security.evtx, System.evtx, and PowerShell logs (4103/4104).

Critical Event IDs

Windows Event Logs are a goldmine for threat hunters.

4624 - Successful Logon

4625 - Failed Logon

4688 - Process Creation

4104 - PowerShell Script Block Logging

4720 - User Account Created