Introduction
In this video walk-through, we covered managing logs in windows using event viewer, Powershell and windows command line. We examined also a scenario to investigate a cyber incident.
Per Wikipedia, “Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications).”
This definition would apply to system administrators, IT technicians, desktop engineers, etc. If the endpoint is experiencing an issue, the event logs can be queried to see any clues about what led to the issue. The operating system, by default, writes messages to these logs.
As defenders (blue teamers), there is another use case for event logs. “It can also be useful to combine log file entries from multiple sources. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers.”
This is where SIEMs (Security information and event management) such as Splunk and Elastic come into play.
Even though it’s possible to access a remote machine’s event logs, this will not be feasible with a large enterprise environment. Instead, one can view the logs from all the endpoints, appliances, etc., in a SIEM. This will allow you to query the logs from multiple devices instead of manually connecting to a single device to view its logs.
Windows is not the only operating system that uses a logging system. Linux and macOS do as well. For example, on Linux systems, the logging system is known as Syslog. Within this room, though, we’re only focusing on the Windows logging system called Windows Event Logs.
Room Answers
What is the Event ID for the first event?
Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
What is the Task Category for Event ID 4104?
For the questions below, use Event Viewer to analyze the Windows PowerShell log.
What is the Task Category for Event ID 800?
How many log names are in the machine?
What is the definition for the query-events command?
What option would you use to provide a path to a log file?
The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
What is the log name?
What is the /rd option for?
What is the /c option for?
Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
How do you specify the number of events to display?
When using the FilterHashtable parameter and filtering by level, what is the value for Informational?
Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
Based on the previous query, how many results are returned?
Based on the output from the question #2, what is Message?
Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
A Log clear event was recorded. What is the ‘Event Record ID’?
What is the name of the computer?
What is the name of the first variable within the PowerShell command?
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
What is the Execution Process ID?
What is the Group Security ID of the group she enumerated?
What is the event ID?
Video Walk-through