Parsing Windows Eventlogs in Powershell
Recently, while chasing a malware, I wanted to review the local security log of a third party server to which I didn't have direct access. The administrator was willing to provide "a limited export" for my offline analysis.
Newer Windows versions nicely enough provide more than one option to accomplish this.
1. You can use the graphical event viewer GUI, and "Save-as", to export the file in EVTX, XML, TXT or CSV Format.
2. You can use wevtutil.exe at the command line to accomplish pretty much the same, but in a scriptable fashion. Wevtutil.exe can export the entire log. It also supports an XPath filter that allows to query and export only certain log lines and attributes. Unfortunately, the syntax of these filters
wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]]"
is a mess, and not easy to stomach for someone more used to the pristine beauty of egrep and regexp's :).
3. A third option is to make use of Powershell and the "get-winevent" or "get-eventlog" cmdlet
get-eventlog -logname security -newest 10000 | Export-clixml seclog.xml
is a pretty quick way to get the latest 10'000 records out of the security log. This is the option I chose, because I (somewhat naively) figured that this would be the fastest way to get a quick look. Not surprisingly, the export-xml command left me with an XML file, which is again not easy to stomach for someone more used to the pristine beauty of egrep and syslog :). But Powershell isn't bad, either. On the analysis workstation, you can stuff the entire log into a variable, thusly:
PS C:\TEMP> $seclog = Import-Clixml seclog.xml
and then use the power of Powershell to get a rapid tally:
PS C:\TEMP> $seclog | group eventid -noelement | sort count
Count Name
----- ----
1 4662
1 5058
1 5061
1 4904
2 4648
2 5140
5 4611
6 6144
6 4735
12 4985
17 4634
19 4672
20 4674
20 4624
128 4663
175 4673
KB947226 helps to translate the EventIDs into readable information. Once we know which events are of interest, we can then extract them:
PS C:\TEMP> $seclog | ? { $_.eventid -match '5140' } | fl *
[...]
Message : A network share object was accessed.
Subject:
Security ID: S-1-5-21-394181-2045529214-8259512215-1280
Account Name: TRA29C
Account Domain: AMER
Logon ID: 0x311a28b
Network Information:
Object Type: File
Source Address: 10.11.192.16
Source Port: 6539
Share Information:
Share Name: \\*\C$
Share Path: \??\C:\
[...]
All the Powershell formatting and querying and pattern match functions can now be used to cut and dice the information to find the haystalk in the cow pie.
If you have any clever Powershell Jiu-Jitsu up your sleeve to deal with unwieldy event logs, please let us know, or share in the comments below.
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago