Introduction
In this video walk-through, we covered managing logs in windows using event viewer, Powershell and windows command line. We examined also a scenario to investigate a cyber incident.
Per Wikipedia, “Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications).“
This definition would apply to system administrators, IT technicians, desktop engineers, etc. If the endpoint is experiencing an issue, the event logs can be queried to see any clues about what led to the issue. The operating system, by default, writes messages to these logs.
As defenders (blue teamers), there is another use case for event logs. “It can also be useful to combine log file entries from multiple sources. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers.“
This is where SIEMs (Security information and event management) such as Splunk and Elastic come into play.
Even though it’s possible to access a remote machine’s event logs, this will not be feasible with a large enterprise environment. Instead, one can view the logs from all the endpoints, appliances, etc., in a SIEM. This will allow you to query the logs from multiple devices instead of manually connecting to a single device to view its logs.
Windows is not the only operating system that uses a logging system. Linux and macOS do as well. For example, on Linux systems, the logging system is known as Syslog. Within this room, though, we’re only focusing on the Windows logging system called Windows Event Logs.
Windows Event Viewer Basics
Navigating Event Viewer:
- The Event Viewer provides a user-friendly interface to browse logs, create custom views, and filter through logs by event IDs or types.
- In the tutorial, the instructor accesses the Microsoft Windows PowerShell Operational Logs and explains how to extract useful information such as event IDs, task categories, and executed commands.
Filtering Logs by Event ID:
- The instructor demonstrates how to filter logs by a specific event ID (e.g., 4104) using the Event Viewer’s built-in filter functionality. This is useful for identifying specific PowerShell commands executed on the system.
- By filtering logs, users can track actions like command execution, which is especially helpful for detecting malicious activity or attacks.
Command-Line Tools for Windows Event Logs
Using wevtutil
:
- wevtutil is a command-line tool that allows users to query event logs, retrieve event metadata, and export or clear logs.
- The video shows how to use the
wevtutil
command to list log names, query events, and extract specific information such as log names, event definitions, and log file paths.
Using PowerShell (Get-WinEvent
):
- The PowerShell cmdlet Get-WinEvent is introduced as a flexible tool for querying and filtering event logs using commands like
Get-WinEvent -ListLog
to retrieve all logs or filtering by event provider. - The instructor highlights how to filter logs by provider (e.g., PowerShell) or event IDs and count the number of event logs using commands like
Measure-Object
.
Advanced Log Querying with XPath
XPath queries are used to filter events using XML syntax. This is particularly useful for more complex searches when filtering through large numbers of events.
The instructor explains how to build XPath queries, starting with the root element (<System>
) and filtering based on parameters like Provider Name (e.g., wlms
) or Event Time.
Practical Examples
Identifying PowerShell Commands:
- The instructor walks through identifying PowerShell commands that were executed during an attack, specifically filtering by event ID 4104 to track command execution.
Querying and Filtering Logs with Commands:
- A combination of commands and tools like wevtutil and PowerShell are demonstrated to query specific logs, identify vulnerabilities, and examine important event data.
Key Takeaways
Event Viewer is a great starting point for viewing and filtering logs, but for more complex searches or large volumes of logs, command-line tools like wevtutil
and Get-WinEvent
offer more flexibility.
XPath queries in PowerShell provide a powerful method for filtering and analyzing logs efficiently, making them essential for advanced log analysis.
TryHackMe Windows Event Logs | Room Answers
What is the Event ID for the first event?
Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
What is the Task Category for Event ID 4104?
For the questions below, use Event Viewer to analyze the Windows PowerShell log.
What is the Task Category for Event ID 800?
How many log names are in the machine?
What is the definition for the query-events command?
What option would you use to provide a path to a log file?
The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
What is the log name?
What is the /rd option for?
What is the /c option for?
Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
How do you specify the number of events to display?
When using the FilterHashtable parameter and filtering by level, what is the value for Informational?
Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
Based on the previous query, how many results are returned?
Based on the output from the question #2, what is Message?
Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
A Log clear event was recorded. What is the ‘Event Record ID’?
What is the name of the computer?
What is the name of the first variable within the PowerShell command?
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
What is the Execution Process ID?
What is the Group Security ID of the group she enumerated?
What is the event ID?