3.3 KiB
3.3 KiB
Logging
- Windows Logging CheatSheet
- NSA -- Spotting Adversary with Windows Event Monitoring
- Events to Monitor
- Windows 10 Monitoring Reference
Loglevel
| ID | Event Type | Description |
|---|---|---|
| 0 | Error | An event that indicates a significant problem. |
| 1 | Warning | An event that is not necessarily significant. |
| 2 | Information | An event describing the successful operation of an application. |
| 3 | Success Audit | An event that records an audited security access attempt that is successful. |
| 4 | Failure Audit | An event that records an audited security access attempt that is failure. |
Logrotation
C:\Windows\System32\winevt\Logs
- As an example, paths can be found under
Microsoft > Windows > PowerShell > Operationaland right clickPropertiesin Event Viewer. Logs can be cleared as well in properties.
Tools
- Event Viewer (GUI-based application)
- Wevtutil.exe (command-line tool)
- Get-WinEvent (PowerShell cmdlet)
wevtutil.exe
wevtutil.exe /?
- Count logs
wevtutil.exe le | measure
- Read three most recent Application logs
wevtutil qe Application /c:3 /rd:true /f:text
Get-WinEvent
- Online help
- List all the logs
Get-WinEvent -ListLog *
- Find string
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
- Further filtering
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
Get-WinEvent -ListProvider *Policy*
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
- Filter by hashtable values
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
- Including XPATH
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
- Find login by username
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
Command Line Logging
- Enable PS Logging
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
- CLI Process Auditing -- ID 4688
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation