Windows Event Logs

Get available Logs

Powershell logs

1
Get-WinEvent -LogName "Windows Powershell"
Copied!

Event logs available

1
Get-EventLog -list
2
Get-WinEvent -Listlog * | Select RecordCount,LogName
3
Get-WinEvent -Listlog *operational | Select RecordCount,LogName
4
wmic nteventlog list brief
Copied!

Event Logs per Application Source

1
Get-EventLog Application | Select -Unique Source
2
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Outlook'}
3
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} | FL TimeCreated, Message
Copied!

Event Logs per Severity Source

Critical Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='1';}
Copied!
Error Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='2';}
Copied!
Warning Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='3';}
Copied!
Information Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='4';}
Copied!

Event Logs for offline analysis

Event logs can be found: %SystemRoot%\System32\winevt\Logs
1
wevtutil epl System [Location]\System.evtx
2
wevtutil epl Security [Location]\Security.evtx
3
wevtutil epl Application [Location]\Application.evtx
4
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx
Copied!
OR:
1
esentutl.exe /y /vss C:\Windows\System32\winevt\Logs\Security.evtx /d [Location]\Security.evtx
Copied!
Copy all event logs:
1
XCOPY C:\Windows\System32\winevt\Logs [Location] /i
2
XCOPY C:\WINDOWS\system32\LogFiles\ [Location] /i
Copied!
Note: More information can be found here. Special thanks to Brimor Labs.
1
KStrike.py SYSTEMNAME\Current.mdb > Current_mdb.txt
Copied!
mdb Files are found at the below:
1
%SystemRoot%\Windows\System32\Logfiles\SUM
Copied!
More information available on the CrowdStrike Blog - Patrick Bennett​

Quickly scan event logs with DeepblueCLI​

1
.\DeepBlue.ps1 .\evtx\psattack-security.evtx | FL
Copied!

Event Tracing for Windows (ETW).

Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. This is how event logs are generated, and is also a way they can be tampered with. More information on this architecture can be found below.
A great post by Matt Graeber goes into some depth on how this works and some common ways of interacting with ETW Traces.

List Running Trace Sessions

1
logman query -ets
Copied!

List Providers That a Trace Session is Subscribed to

1
logman query "EventLog-System" -ets
Copied!

List all ETW Providers

1
logman query providers
2
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
Copied!

View providers process is sending events to

1
logman query providers -pid {PID}
Copied!

Setup Custom Log Tracing

Special thanks to Spotless for his crash course​

Query Providers Available and their keyword values

1
logman query providers
2
logman query providers Microsoft-Windows-WinHttp
Copied!
Note: Take note of wanted values.

Initiate Tracing Session

1
logman create trace <TRACENAMEHERE> -ets
2
logman query <TRACENAMEHERE> -ets
Copied!

Update trace with wanted providers

Note: the mask is the combined values wanted. For example if a keyword was 0x1 and another 0x16 and you wanted both you’d use 0x17.
1
logman update <TRACENAMEHERE> -p Microsoft-Windows-WinHttp 0x100000000 -ets
Copied!

Delete Subscription and Providers

1
logman update trace <TRACENAMEHERE> --p Microsoft-Windows-WinHttp 0x100000000 -ets
2
logman stop <TRACENAMEHERE> -ets
Copied!

Event Log/Tracing Tampering Detection

1
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v File
2
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v MaxSize
3
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v Retention
4
sc.exe query eventlog
5
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ -recurse
6
reg query HKLM\SYSTEM\CurrentControlSet\control\WMI\AutoLogger\ /s /v enable*
Copied!

Timeline Windows Event Logs.

An easy way to explore Windows event logs is to dump them into a normalized csv format using EvtxExplorer.
​EvtxExplorer:​
1
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\ --csvf AllEvtx.csv
Copied!
From here you can analyse the CSV using Timeline explorer to view relevant information and group by MAPs.
​TimelineExplorer:​

Super Timeline a host:

This can be done using Plaso (Log2Timeline)​
Common IIS logs can often be found in the below locations:
  • %SystemDrive%\inetpub\logs\LogFiles
  • %SystemRoot%\System32\LogFiles\W3SVC1
  • %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
    • Note: replace 1 with the number for your IIS website ID
  • %SystemDrive%\Windows\System32\LogFiles\HTTPERR
Common Apache logs can often be found in the below locations:
  • /var/log
  • /var/log/httpd/access.log
  • /var/log/apache/access.log
  • /var/log/apache2/access.log
  • /var/log/httpd-access.log
Other logs can be found in the below, often using the Event Trace Log (ETL) format:
  • C:\Windows\System32\LogFiles
  • C:\Windows\Panther
ETL format can be parsed using tracerpt which is included in Windows, some examples below.
1
tracerpt C:\Windows\System32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
2
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
3
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
4
tracerpt logfile1.etl logfile2.etl -o -report
5
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
6
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV
Copied!
Software specific logs are often stored in readable formats at any of the following locations.
1
%AppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Roaming\[softwarename]\)
2
%LocalAppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Local\[softwarename]\)
3
%programfiles%\[softwarename] (e.g. C:\Program Files\[softwarename]\)
4
%programfiles(x86)%\[softwarename] (e.g. C:\Program Files (x86)\[softwarename]\)
Copied!
You may also find useful memory crashdumps at the below:
1
C:\Users\[username]\AppData\Local\CrashDumps
2
C:\Users\[username]\AppData\Local\Microsoft\Windows\WER\
Copied!