windows-event-logs.md

Windows Event Logs

Get available Logs

{% embed url="https://wiki.sans.blue/Tools/pdfs/Get-WinEvent.pdf" %}

Powershell logs

Get-WinEvent -LogName "Windows Powershell"

Event logs available

Get-EventLog -list
Get-WinEvent -Listlog * | Select RecordCount,LogName 
Get-WinEvent -Listlog *operational | Select RecordCount,LogName
wmic nteventlog list brief

Event Logs per Application Source

Get-EventLog Application | Select -Unique Source
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Outlook'}
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} | FL TimeCreated, Message

Event Logs per Severity Source

Critical Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='1';}

Error Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='2';}

Warning Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='3';}

Information Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='4';}

Event Logs for offline analysis

Event logs can be found: %SystemRoot%\System32\winevt\Logs

wevtutil epl System [Location]\System.evtx
wevtutil epl Security [Location]\Security.evtx
wevtutil epl Application [Location]\Application.evtx
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx

OR:

esentutl.exe /y /vss C:\Windows\System32\winevt\Logs\Security.evtx /d [Location]\Security.evtx

Copy all event logs:

XCOPY C:\Windows\System32\winevt\Logs [Location] /i
XCOPY C:\WINDOWS\system32\LogFiles\ [Location] /i

User Access Logging (UAL) KStrike Parser

Note: More information can be found here. Special thanks to Brimor Labs.

KStrike.py SYSTEMNAME\Current.mdb > Current_mdb.txt

mdb Files are found at the below:

%SystemRoot%\Windows\System32\Logfiles\SUM

More information available on the CrowdStrike Blog - Patrick Bennett

Quickly scan event logs with DeepblueCLI

.\DeepBlue.ps1 .\evtx\psattack-security.evtx | FL

Event Tracing for Windows (ETW).

Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. This is how event logs are generated, and is also a way they can be tampered with. More information on this architecture can be found below.

Event Tracing Architecture

A great post by Matt Graeber goes into some depth on how this works and some common ways of interacting with ETW Traces.

List Running Trace Sessions

logman query -ets

List Providers That a Trace Session is Subscribed to

logman query "EventLog-System" -ets

List all ETW Providers

logman query providers
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\

View providers process is sending events to

logman query providers -pid {PID}

Setup Custom Log Tracing

Special thanks to Spotless for his crash course

Query Providers Available and their keyword values

logman query providers
logman query providers Microsoft-Windows-WinHttp

Note: Take note of wanted values.

Initiate Tracing Session

logman create trace <TRACENAMEHERE> -ets
logman query <TRACENAMEHERE> -ets

Update trace with wanted providers

Note: the mask is the combined values wanted. For example if a keyword was 0x1 and another 0x16 and you wanted both you’d use 0x17.

logman update <TRACENAMEHERE> -p Microsoft-Windows-WinHttp 0x100000000 -ets

Delete Subscription and Providers

logman update trace <TRACENAMEHERE> --p Microsoft-Windows-WinHttp 0x100000000 -ets
logman stop <TRACENAMEHERE> -ets

Event Log/Tracing Tampering Detection

reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v File
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v MaxSize
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v Retention
sc.exe query eventlog
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ -recurse
reg query HKLM\SYSTEM\CurrentControlSet\control\WMI\AutoLogger\ /s /v enable*

Timeline Windows Event Logs.

An easy way to explore Windows event logs is to dump them into a normalized csv format using EvtxExplorer.

EvtxExplorer:

EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\ --csvf AllEvtx.csv

From here you can analyse the CSV using Timeline explorer to view relevant information and group by MAPs.

TimelineExplorer:

Super Timeline a host:

This can be done using Plaso (Log2Timeline)

Common IIS logs can often be found in the below locations:

• %SystemDrive%\inetpub\logs\LogFiles
• %SystemRoot%\System32\LogFiles\W3SVC1
• %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
  • Note: replace 1 with the number for your IIS website ID
• %SystemDrive%\Windows\System32\LogFiles\HTTPERR

Common Apache logs can often be found in the below locations:

• /var/log
• /var/log/httpd/access.log
• /var/log/apache/access.log
• /var/log/apache2/access.log
• /var/log/httpd-access.log

Other logs can be found in the below, often using the Event Trace Log (ETL) format:

• C:\Windows\System32\LogFiles
• C:\Windows\Panther

ETL format can be parsed using tracerpt which is included in Windows, some examples below.

tracerpt C:\Windows\System32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV

Software specific logs are often stored in readable formats at any of the following locations.

%AppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Roaming\[softwarename]\)
%LocalAppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Local\[softwarename]\)
%programfiles%\[softwarename] (e.g. C:\Program Files\[softwarename]\)
%programfiles(x86)%\[softwarename] (e.g. C:\Program Files (x86)\[softwarename]\)

You may also find useful memory crashdumps at the below:

C:\Users\[username]\AppData\Local\CrashDumps
C:\Users\[username]\AppData\Local\Microsoft\Windows\WER\