Einführung

In this video walk-through, we covered managing logs in windows using event viewer, Powershell and windows command line. We examined also a scenario to investigate a cyber incident.

Per Wikipedia, “Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications).

This definition would apply to system administrators, IT technicians, desktop engineers, etc. If the endpoint is experiencing an issue, the event logs can be queried to see any clues about what led to the issue. The operating system, by default, writes messages to these logs.

As defenders (blue teamers), there is another use case for event logs. “It can also be useful to combine log file entries from multiple sources. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers.

This is where SIEMs (Security information and event management) such as Splunk and Elastic come into play.

Even though it’s possible to access a remote machine’s event logs, this will not be feasible with a large enterprise environment. Instead, one can view the logs from all the endpoints, appliances, etc., in a SIEM. This will allow you to query the logs from multiple devices instead of manually connecting to a single device to view its logs.

Windows is not the only operating system that uses a logging system. Linux and macOS do as well. For example, on Linux systems, the logging system is known as Syslog. Within this room, though, we’re only focusing on the Windows logging system called Windows Event Logs.

 

Holen Sie sich Blue Team Notes

 

 

Raumantworten

What is the Event ID for the first event?

Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?

What is the Task Category for Event ID 4104?

For the questions below, use Event Viewer to analyze the Windows PowerShell log.

Was ist der Task Category for Event ID 800?

How many log names are in the machine?

What is the definition for the query-events Befehl?

What option would you use to provide a path to a log file?

Was ist der VALUE für /q?

The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text

What is the log name?

Was ist der /rd option for?

Was ist der /c option for?

Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
Execute the command from Example 7. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?

Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?

How do you specify the number of events to display?

When using the FilterHashtable parameter and filtering by level, what is the value for Informational?

Verwenden von Get-WinEvent Und XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?

Verwenden von Get-WinEvent Und XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?

Based on the previous query, how many results are returned?

Based on the output from the question #2, what is Message?

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])

What is the Provider Name?
What event ID is to detect a PowerShell downgrade attack?

Was ist der Datum (und Uhrzeit this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

Log clear event was recorded. What is the ‘Event Record ID’?

What is the name of the computer?

What is the name of the first variable within the PowerShell command?

Was ist der Datum (und Uhrzeit this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

Was ist der Execution Process ID?

Was ist der Group Security ID of the group she enumerated?

What is the event ID?

Video-Anleitung

 

 

Über den Autor

Cybersecurity-Trainer und Schwimmer

Artikel anzeigen