πŸ”
πŸ”
πŸ”
πŸ”
s0cm0nkey's Security Reference Guide
Search…
All of the Best Links and Resources on Cyber Security.
Cyber Intelligence
Red - Offensive Operations
Red - Web App Hacking
Blue - Defensive Operations
Blue - DFIR: Digital Forensics and Incident Response
Interact with remote machine
Windows System Enumeration
Windows Process Information
Windows DFIR Checks
Windows DFIR Check by MITRE Tactic
Windows Event Logs
Windows Remediation Commands
IR Event Log Cheatsheet
Linux DFIR Commands
MacOS DFIR Commands
YARA
Memory Forensics
Sandboxing
File/Binary Analysis
Malware
Reverse Engineering
Yellow - NetEng/SysAdmin
Yellow - Code and CLI
Grey - Privacy/TOR/OPSEC
Training and Resources
Powered By GitBook
Windows Event Logs

Get available Logs

Powershell logs

1
Get-WinEvent -LogName "Windows Powershell"
Copied!

Event logs available

1
Get-EventLog -list
2
Get-WinEvent -Listlog * | Select RecordCount,LogName
3
Get-WinEvent -Listlog *operational | Select RecordCount,LogName
4
wmic nteventlog list brief
Copied!

Event Logs per Application Source

1
Get-EventLog Application | Select -Unique Source
2
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Outlook'}
3
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} | FL TimeCreated, Message
Copied!

Event Logs per Severity Source

Critical Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='1';}
Copied!
Error Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='2';}
Copied!
Warning Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='3';}
Copied!
Information Logs
1
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='4';}
Copied!

Event Logs for offline analysis

Event logs can be found: %SystemRoot%\System32\winevt\Logs
1
wevtutil epl System [Location]\System.evtx
2
wevtutil epl Security [Location]\Security.evtx
3
wevtutil epl Application [Location]\Application.evtx
4
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx
Copied!
OR:
1
esentutl.exe /y /vss C:\Windows\System32\winevt\Logs\Security.evtx /d [Location]\Security.evtx
Copied!
Copy all event logs:
1
XCOPY C:\Windows\System32\winevt\Logs [Location] /i
2
XCOPY C:\WINDOWS\system32\LogFiles\ [Location] /i
Copied!
Note: More information can be found here. Special thanks to Brimor Labs.
1
KStrike.py SYSTEMNAME\Current.mdb > Current_mdb.txt
Copied!
mdb Files are found at the below:
1
%SystemRoot%\Windows\System32\Logfiles\SUM
Copied!
More information available on the CrowdStrike Blog - Patrick Bennett​

Quickly scan event logs with DeepblueCLI​

1
.\DeepBlue.ps1 .\evtx\psattack-security.evtx | FL
Copied!

Event Tracing for Windows (ETW).

Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. This is how event logs are generated, and is also a way they can be tampered with. More information on this architecture can be found below.
A great post by Matt Graeber goes into some depth on how this works and some common ways of interacting with ETW Traces.

List Running Trace Sessions

1
logman query -ets
Copied!

List Providers That a Trace Session is Subscribed to

1
logman query "EventLog-System" -ets
Copied!

List all ETW Providers

1
logman query providers
2
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\
Copied!

View providers process is sending events to

1
logman query providers -pid {PID}
Copied!

Setup Custom Log Tracing

Special thanks to Spotless for his crash course​

Query Providers Available and their keyword values

1
logman query providers
2
logman query providers Microsoft-Windows-WinHttp
Copied!
Note: Take note of wanted values.

Initiate Tracing Session

1
logman create trace <TRACENAMEHERE> -ets
2
logman query <TRACENAMEHERE> -ets
Copied!

Update trace with wanted providers

Note: the mask is the combined values wanted. For example if a keyword was 0x1 and another 0x16 and you wanted both you’d use 0x17.
1
logman update <TRACENAMEHERE> -p Microsoft-Windows-WinHttp 0x100000000 -ets
Copied!

Delete Subscription and Providers

1
logman update trace <TRACENAMEHERE> --p Microsoft-Windows-WinHttp 0x100000000 -ets
2
logman stop <TRACENAMEHERE> -ets
Copied!

Event Log/Tracing Tampering Detection

1
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v File
2
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v MaxSize
3
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v Retention
4
sc.exe query eventlog
5
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ -recurse
6
reg query HKLM\SYSTEM\CurrentControlSet\control\WMI\AutoLogger\ /s /v enable*
Copied!

Timeline Windows Event Logs.

An easy way to explore Windows event logs is to dump them into a normalized csv format using EvtxExplorer.
​EvtxExplorer:​
1
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\ --csvf AllEvtx.csv
Copied!
From here you can analyse the CSV using Timeline explorer to view relevant information and group by MAPs.
​TimelineExplorer:​

Super Timeline a host:

This can be done using Plaso (Log2Timeline)​
Common IIS logs can often be found in the below locations:
  • %SystemDrive%\inetpub\logs\LogFiles
  • %SystemRoot%\System32\LogFiles\W3SVC1
  • %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
    • Note: replace 1 with the number for your IIS website ID
  • %SystemDrive%\Windows\System32\LogFiles\HTTPERR
Common Apache logs can often be found in the below locations:
  • /var/log
  • /var/log/httpd/access.log
  • /var/log/apache/access.log
  • /var/log/apache2/access.log
  • /var/log/httpd-access.log
Other logs can be found in the below, often using the Event Trace Log (ETL) format:
  • C:\Windows\System32\LogFiles
  • C:\Windows\Panther
ETL format can be parsed using tracerpt which is included in Windows, some examples below.
1
tracerpt C:\Windows\System32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
2
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
3
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
4
tracerpt logfile1.etl logfile2.etl -o -report
5
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
6
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV
Copied!
Software specific logs are often stored in readable formats at any of the following locations.
1
%AppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Roaming\[softwarename]\)
2
%LocalAppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Local\[softwarename]\)
3
%programfiles%\[softwarename] (e.g. C:\Program Files\[softwarename]\)
4
%programfiles(x86)%\[softwarename] (e.g. C:\Program Files (x86)\[softwarename]\)
Copied!
You may also find useful memory crashdumps at the below:
1
C:\Users\[username]\AppData\Local\CrashDumps
2
C:\Users\[username]\AppData\Local\Microsoft\Windows\WER\
Copied!
Previous
Windows DFIR Check by MITRE Tactic
Next
Windows Remediation Commands
Last modified 1mo ago
Copy link
Contents
Get available Logs
Powershell logs
Event logs available
Event Logs per Application Source
Event Logs per Severity Source
Event Logs for offline analysis
User Access Logging (UAL) KStrike Parser
Quickly scan event logs with DeepblueCLI
Event Tracing for Windows (ETW).
List Running Trace Sessions
List Providers That a Trace Session is Subscribed to
List all ETW Providers
View providers process is sending events to
Setup Custom Log Tracing
Query Providers Available and their keyword values
Initiate Tracing Session
Update trace with wanted providers
Delete Subscription and Providers
Timeline Windows Event Logs.
Super Timeline a host: