detection.wiki
Blog

EventLog

6 events across 1 channel

Event IDTitleChannel
6005System
6006System
6008System
6009System
6011System
6013System

Event ID 6005 —

Provider
EventLog
Channel
System
Level
4
Samples
1

Fields

NameDescription
Data_0
Binary

Example Event

system:
  provider: EventLog
  guid: ''
  event_source_name: ''
  event_id: 6005
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:40.978481+00:00'
  event_record_id: 1475
  correlation: {}
  execution:
    process_id: 2636
    thread_id: 2680
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: ''
  Binary: E7070B0001000600060019002800CB030000000000000000
message: ''

Community Notes

Indicates system boot, and is a reliable indicator for establishing a timeline.

References

Event ID 6006 —

Provider
EventLog
Channel
System
Level
4
Samples
1

Fields

NameDescription
Data_0
Binary

Example Event

system:
  provider: EventLog
  guid: ''
  event_source_name: ''
  event_id: 6006
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:31:36.986923+00:00'
  event_record_id: 1851
  correlation: {}
  execution:
    process_id: 1816
    thread_id: 1352
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: ''
  Binary: '0100000000000000'
message: ''

Community Notes

Indicates system shutdown. An absence of this before 6005 suggests an unexpected shutdown or crash, which may be suspicious.

References

Event ID 6008 —

Provider
EventLog
Channel
System
Level
2
Samples
1

Fields

NameDescription
Data
Binary

Example Event

system:
  provider: EventLog
  guid: ''
  event_source_name: ''
  event_id: 6008
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2012-04-06T19:12:08.000000Z'
  event_record_id: 13530
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: System
  computer: WKS-WIN764BITB.shieldbase.local
  security:
    user_id: ''
event_data:
  Data:
  - 3:09:23 PM
  - ‎4/‎6/‎2012
  - ''
  - ''
  - '14071'
  - ''
  - ''
  Binary: DC070400050006000F00090017004B01DC070400050006001300090017004B01600900003C000000010000006009000000000000B004000001000000EF0F0000

Event ID 6009 —

Provider
EventLog
Channel
System
Level
4
Samples
1

Fields

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event

system:
  provider: EventLog
  guid: ''
  event_source_name: ''
  event_id: 6009
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:40.977908+00:00'
  event_record_id: 1474
  correlation: {}
  execution:
    process_id: 2636
    thread_id: 2680
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: 10.00.
  Data_1: '22621'
  Data_2: ''
  Data_3: Multiprocessor Free
  Data_4: '0'
  Binary: ''
message: ''

References

Event ID 6011 —

Provider
EventLog
Channel
System
Level
4
Samples
1

Fields

NameDescription
Data_0
Data_1
Binary

Example Event

system:
  provider: EventLog
  guid: ''
  event_source_name: ''
  event_id: 6011
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:40.969534+00:00'
  event_record_id: 1473
  correlation: {}
  execution:
    process_id: 2636
    thread_id: 2680
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: WINDEVEVAL
  Data_1: WINDEV2310EVAL
  Binary: ''
message: ''

References

Event ID 6013 —

Provider
EventLog
Channel
System
Level
4
Samples
1

Fields

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Binary

Example Event

system:
  provider: EventLog
  guid: ''
  event_source_name: ''
  event_id: 6013
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:40.980475+00:00'
  event_record_id: 1476
  correlation: {}
  execution:
    process_id: 2636
    thread_id: 2680
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: ''
  Data_1: ''
  Data_2: ''
  Data_3: ''
  Data_4: '51'
  Data_5: '60'
  Data_6: ''
  Binary: 31002E003100000030000000570069006E0064006F0077007300200031003000200045006E007400650072007000720069007300650020004500760061006C0075006100740069006F006E000000310030002E0030002E003200320036003200310020004200750069006C0064002000320032003600320031002000200000004D0075006C0074006900700072006F0063006500730073006F007200200046007200650065000000320032003600320031002E006E0069005F00720065006C0065006100730065002E003200320030003500300036002D00310032003500300000003600350034003800380036003600620000004E006F007400200041007600610069006C00610062006C00650000004E006F007400200041007600610069006C00610062006C00650000003900000034000000380031003900320000003400300039000000570069006E0044006500760032003300310030004500760061006C0000000000
message: ''

References