killchain-compendium/Enumeration/Windows/Event Log.md

100 lines
3.3 KiB
Markdown
Raw Normal View History

2022-11-13 01:16:26 +01:00
# Logging
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
## Loglevel
|ID|Event Type|Description|
|--|----------|-----------|
|0|Error|An event that indicates a significant problem.|
|1|Warning|An event that is not necessarily significant.|
|2|Information|An event describing the successful operation of an application.|
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
## Logrotation
```sh
C:\Windows\System32\winevt\Logs
```
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
## Tools
* Event Viewer (GUI-based application)
* Wevtutil.exe (command-line tool)
* Get-WinEvent (PowerShell cmdlet)
### wevtutil.exe
```sh
wevtutil.exe /?
```
* Count logs
```sh
wevtutil.exe le | measure
```
* Read three most recent Application logs
```sh
wevtutil qe Application /c:3 /rd:true /f:text
```
### Get-WinEvent
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
* List all the logs
```sh
Get-WinEvent -ListLog *
```
* Find string
```sh
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
```
* Further filtering
```sh
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
```
```sh
Get-WinEvent -ListProvider *Policy*
```
```sh
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
```
* Filter by hashtable values
```sh
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
```
```sh
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
```
* Including __XPATH__
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
```
```sh
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
```
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
```
* Find login by username
```sh
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
```
### Command Line Logging
* Enable PS Logging
```sh
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
```
* CLI Process Auditing -- ID 4688
```
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
```