EventLog
6 events across 1 channel
Event ID 6005 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "EventLog",
"guid": "",
"event_source_name": "",
"event_id": 6005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:40.978481+00:00",
"event_record_id": 1475,
"correlation": {},
"execution": {
"process_id": 2636,
"thread_id": 2680
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Binary": "E7070B0001000600060019002800CB030000000000000000"
},
"message": ""
}
Community Notes #
Indicates system boot, and is a reliable indicator for establishing a timeline.
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 6006 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "EventLog",
"guid": "",
"event_source_name": "",
"event_id": 6006,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:31:36.986923+00:00",
"event_record_id": 1851,
"correlation": {},
"execution": {
"process_id": 1816,
"thread_id": 1352
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Binary": "0100000000000000"
},
"message": ""
}
Community Notes #
Indicates system shutdown. An absence of this before 6005 suggests an unexpected shutdown or crash, which may be suspicious.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6008 —
Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "EventLog",
"guid": "",
"event_source_name": "",
"event_id": 6008,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2012-04-06T19:12:08.000000Z",
"event_record_id": 13530,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "WKS-WIN764BITB.shieldbase.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"3:09:23 PM",
"4/6/2012",
"",
"",
"14071",
"",
""
],
"Binary": "DC070400050006000F00090017004B01DC070400050006001300090017004B01600900003C000000010000006009000000000000B004000001000000EF0F0000"
}
}
Event ID 6009 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "EventLog",
"guid": "",
"event_source_name": "",
"event_id": 6009,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:40.977908+00:00",
"event_record_id": 1474,
"correlation": {},
"execution": {
"process_id": 2636,
"thread_id": 2680
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "10.00.",
"Data_1": "22621",
"Data_2": "",
"Data_3": "Multiprocessor Free",
"Data_4": "0",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 6011 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "EventLog",
"guid": "",
"event_source_name": "",
"event_id": 6011,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:40.969534+00:00",
"event_record_id": 1473,
"correlation": {},
"execution": {
"process_id": 2636,
"thread_id": 2680
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "WINDEVEVAL",
"Data_1": "WINDEV2310EVAL",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 6013 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Data_1 | — |
Data_2 | — |
Data_3 | — |
Data_4 | — |
Data_5 | — |
Data_6 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "EventLog",
"guid": "",
"event_source_name": "",
"event_id": 6013,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:40.980475+00:00",
"event_record_id": 1476,
"correlation": {},
"execution": {
"process_id": 2636,
"thread_id": 2680
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Data_1": "",
"Data_2": "",
"Data_3": "",
"Data_4": "51",
"Data_5": "60",
"Data_6": "",
"Binary": "31002E003100000030000000570069006E0064006F0077007300200031003000200045006E007400650072007000720069007300650020004500760061006C0075006100740069006F006E000000310030002E0030002E003200320036003200310020004200750069006C0064002000320032003600320031002000200000004D0075006C0074006900700072006F0063006500730073006F007200200046007200650065000000320032003600320031002E006E0069005F00720065006C0065006100730065002E003200320030003500300036002D00310032003500300000003600350034003800380036003600620000004E006F007400200041007600610069006C00610062006C00650000004E006F007400200041007600610069006C00610062006C00650000003900000034000000380031003900320000003400300039000000570069006E0044006500760032003300310030004500760061006C0000000000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline