Windows Events log for IR/Forensics ,Part 2
In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events
Get-WinEvent
“The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).”[ii]
And here is some examples
Get-winevent -logname System |
This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case.
The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that’s related to a new service createion (event id 7045 )
Get-WinEvent -FilterHashtable @{logname='system' ; id=7045} | format-list |
And output would be similar to this
TimeCreated : 9/16/2016 12:57:58 AM ProviderName : Service Control Manager Id : 7045 Message : A service was installed in the system.
Service Name: Meterpreter Service File Name: "C:\Windows\TEMP\hXdIEXeEbqqzDy\metsvc.exe" service Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem
TimeCreated : 9/16/2016 12:56:46 AM ProviderName : Service Control Manager Id : 7045 Message : A service was installed in the system.
Service Name: vvgQjBPVHmgKnFfH Service File Name: %SYSTEMROOT%\AmEAdtHt.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem
TimeCreated : 9/16/2016 12:54:14 AM ProviderName : Service Control Manager Id : 7045 Message : A service was installed in the system.
Service Name: jJZzbNmqBqTeqzsU Service File Name: %SYSTEMROOT%\bFZwMEQv.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem
TimeCreated : 9/16/2016 12:39:34 AM ProviderName : Service Control Manager Id : 7045 Message : A service was installed in the system.
Service Name: zNvHlQahvTqmPpVS Service File Name: %SYSTEMROOT%\cEYBVJNP.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem
TimeCreated : 9/15/2016 9:09:40 PM ProviderName : Service Control Manager Id : 7045 Message : A service was installed in the system.
Service Name: vJcYxfCDYUgOZiVb Service File Name: %SYSTEMROOT%\TifTyNVa.exe Service Type: user mode service Service Start Type: demand start Service Account: LocalSystem
|
As you can see from the sample the are many services with suspicious name has been installed in the system.
Again we can check our events to see who was logged around that time
Get-WinEvent -FilterHashtable @{logname='security' ; id=4624;starttime=’ 9/15/2016 9:00:00 PM ‘;endtime=’ 9/15/2016 9:09:40 PM’} | |
And here is the output
TimeCreated : 9/15/2016 9:09:39 PM ProviderName : Microsoft-Windows-Security-Auditing Id : 4624 Message : An account was successfully logged on.
Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3
New Logon: Security ID: S-1-5-21-574956201-2274518538-2668157362-1004 Account Name: test Account Domain: WIN-CAR8AFQU4IJ Logon ID: 0x112fd1 Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information: Process ID: 0x0 Process Name: -
Network Information: Workstation Name: BH5vQpSXNj4EBCBk Source Network Address: 10.10.75.1 Source Port: 55165
Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 0 |
From the above output we find out that , there was a user name “test” was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 .
Now let’s find out when the user “test” was created:
Get-WinEvent -FilterHashtable @{logname='Security' ; ID=4720} | where {$_.message -match "test"} | fl |
And here is the output
TimeCreated : 8/12/2016 10:06:33 PM ProviderName : Microsoft-Windows-Security-Auditing Id : 4720 Message : A user account was created.
Subject: Security ID: S-1-5-21-574956201-2274518538-2668157362-1000 Account Name: Victim Account Domain: WIN-CAR8AFQU4IJ Logon ID: 0x275eb2
New Account: Security ID: S-1-5-21-574956201-2274518538-2668157362-1004 Account Name: test Account Domain: WIN-CAR8AFQU4IJ
Attributes: SAM Account Name: test Display Name: User Principal Name: - Home Directory: Home Drive: Script Path: Profile Path: User Workstations: Password Last Set: Account Expires: Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: SID History: - Logon Hours: All
Additional Information: Privileges - |
Now lets see if there is any other logon attemps via network ,for this task I would use get-eventlog
Get-EventLog -LogName security | where {$_.eventid -eq 4624} | where {$_.replacementstrings[8] -eq 3} | select timegenerated ,@{Name='AccountName';Expression={$_.replacementstrings[5]}},@{Name='IP Address';Expression={$_.replacementstrings[-2]}} | export-csv c:\users\user\type3logon.csv |
Get-eventlog store the logon type in a array called replacementstrings , its stored at location [8] the logon type , user name at location 5 and the IP Address in location [-2]
Now lets see what other logon types we have and how many attempts for each
Get-EventLog -LogName security | where {$_.EventID -eq 4624} | Group-Object {$_.Replacementstrings[8]} | select name,count |
Name Count --------- --------- 7 2 5 210 2 29 |
[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
Comments