Introduction

In this video walk-through, we covered managing logs in windows using event viewer, Powershell and windows command line. We examined also a scenario to investigate a cyber incident.

Per Wikipedia, “Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications).

This definition would apply to system administrators, IT technicians, desktop engineers, etc. If the endpoint is experiencing an issue, the event logs can be queried to see any clues about what led to the issue. The operating system, by default, writes messages to these logs.

As defenders (blue teamers), there is another use case for event logs. “It can also be useful to combine log file entries from multiple sources. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers.

This is where SIEMs (Security information and event management) such as Splunk and Elastic come into play.

Even though it’s possible to access a remote machine’s event logs, this will not be feasible with a large enterprise environment. Instead, one can view the logs from all the endpoints, appliances, etc., in a SIEM. This will allow you to query the logs from multiple devices instead of manually connecting to a single device to view its logs.

Windows is not the only operating system that uses a logging system. Linux and macOS do as well. For example, on Linux systems, the logging system is known as Syslog. Within this room, though, we’re only focusing on the Windows logging system called Windows Event Logs.

 

Obtenez les notes de l'équipe bleue

 

 

Réponses de la salle

What is the Event ID for the first event?

Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?

What is the Task Category for Event ID 4104?

For the questions below, use Event Viewer to analyze the Windows PowerShell log.

Quel est le Task Category for Event ID 800?

How many log names are in the machine?

What is the definition for the query-events commande?

What option would you use to provide a path to a log file?

Quel est le VALUE for /q?

The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text

What is the log name?

Quel est le /rd option for?

Quel est le /c option for?

Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
Execute the command from Example 7. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?

Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?

How do you specify the number of events to display?

When using the FilterHashtable parameter and filtering by level, what is the value for Informational?

Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?

Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?

Based on the previous query, how many results are returned?

Based on the output from the question #2, what is Message?

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])

What is the Provider Name?
What event ID is to detect a PowerShell downgrade attack?

Quel est le Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

Log clear event was recorded. What is the ‘Event Record ID’?

What is the name of the computer?

What is the name of the first variable within the PowerShell command?

Quel est le Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

Quel est le Execution Process ID?

Quel est le Group Security ID of the group she enumerated?

What is the event ID?

Vidéo pas à pas

 

 

A propos de l'Auteur

Instructeur et nageur en cybersécurité

Voir les Articles